- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
How can a business distribute an employee privacy notice to job applicants?
While the CCPA does not dictate the manner in which a privacy notice should be distributed to job applicants, many employers consider using one or more of the following distribution techniques:
- Homepage. Some employers include references to the personal information collected from job applicants in a unified privacy notice posted on the company’s homepage in a persistent footer.
- Online application submission form. Businesses that solicit applications through an online submission form often add a link to the privacy notice that describes the collection of information from job applicants on the form submission page.
- Email. Some employers email a copy (e.g., PDF) of the privacy notice that applies to job applicants to each candidate that submits an application.
- URL on paper applications. Some employers that accept paper job applications include a reference to where the applicant can find a full copy of the business’s privacy notice on the paper application form.
- Copy on paper applications. Some employers include a copy of either the full privacy notice, or a short form privacy notice, on any paper application forms.
It is important to note that regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to job applicants with disabilities.2 The Modified Proposed Regulations also imply that if a business elects to distribute a privacy notice in hard copy (e.g., copy on the back of a paper application), it may still need to post an electronic copy of the privacy notice “online.”3
How can a business distribute an employee privacy notice to current employees?
Beginning in 2020, the CCPA required that businesses subject to the Act provide their employees with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.1 Beginning on January 1, 2021, employers are required to include twelve additional topics in employee privacy notices.
While the CCPA does not dictate the manner in which a privacy notice is distributed to employees, many employers consider using one, or more, of the following distribution techniques:
- Computer log-in notice. Some employers add a link to the employee privacy notice on the log-in screen of all workstations.
- Email. Some employers email a copy (e.g., PDF) or a link (e.g., internal SharePoint) of the employee privacy notice to all employees at least once a year.
- Employee handbook. Some employers include a copy of the employee privacy notice in the employee handbook.
- Open enrollment. Some employers include a link to the employee privacy notice on the page or portal used by employees to select, or confirm, their benefits elections each year.
- Paper Distribution. Some employers distribute a hard copy of the privacy notice to each employee, or post a copy of the privacy notice in a public space available to employees (e.g., break rooms).
It is important to note that, regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to employees with disabilities.2 As a result, if some employees do not have access to some format as a result of a disability (e.g., visually impaired employees might not utilize computers or email), a business may need to consider alternative methods of communicating. It is also important to note that the Modified Proposed Regulations imply that even if a business elects to distribute a privacy notice in hard copy (e.g., paper distribution) it may still need to post an electronic copy of the privacy notice “online.”3
The distribution technique that is best suited for a particular company may depend on a number of factors, including whether employees have access to computers at work, maintain work email addresses, receive benefits, or have access to an employee handbook.
Does an employee facing privacy notice need to contain different types of information from a privacy notice provided to other types of consumers?
The CCPA applies to the personal information of California employees of a business that is subject to the statute. The specific rights afforded to employees were set to phase-in throughout 2020.
Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” 1 While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures. These only apply to employee-privacy notices beginning on January 1, 2021. The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:
|Privacy Notice Disclosures Required as of January 1, 2020
In All Privacy Notices (e.g., employee and non-employee)
|1. Identify the enumerated categories of personal information collected.2|
|2. Identify the general purpose for which information will be used3|
|Additional Privacy Notice Disclosures Required as of
January 1, 2020 in Non-Employee Privacy Notices and as of
January 1, 2021 in Employee Privacy Notices
|1. Explain the ability of a California resident to request access to their personal information.4|
|2. Identify the enumerated categories of personal information shared with services providers.5|
|3. Identify the enumerated categories of personal information sold to third parties (or affirmatively state that the business does not sell personal information).6|
|4. State that a California resident has the ability to opt-out of sale of information (if applicable).7|
|5. Provide contact information that can be used to request access, deletion, or opt-out (if applicable).8|
|6. Explain the ability of a California resident to request deletion of their personal information.9|
|7. Provide general information concerning the sources from which personal information was collected.10|
|8. Provide general information concerning the third party recipients of personal information11|
|9. Explain in general terms the process used to verify or authenticate a California resident that requests access to, or the deletion of, their information.12|
|10. Explain that California residents will not be discriminated against if they choose to exercise one of their rights under the CCPA.13|
|11. Explain how an authorized agent can make a request under the CCPA on behalf of a California resident.14|
|12. Provide contact information for how questions or concerns regarding privacy practices can be raised with the business.15|
The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents. In essence, it can be thought of as a “short form” privacy notice. After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.
Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?
Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.1
Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.2
The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.
Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.
Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?
Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.1 As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.
While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. 2 Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.
What steps must a business take if it sells personal information?
What does a Human Resources Director need to know about the CCPA?
- Privacy notices. Under the CCPA, employers are required to provide California employees with privacy notices that, among other things, itemize the categories of personal information collected, shared, and sold about the employee.1
- Access rights. Under the CCPA, California employees are permitted to request access to the personal information that the employer has collected about the employee.2
- Deletion rights. Under the CCPA, California employees are permitted to request the deletion of the personal information that the employer has collected from the employee.3 Note that the CCPA does not require that employers grant such requests in all situations.
- HR benefits providers. Under the CCPA, an employer must stake steps to verify that by providing personal information about California employees to benefits providers it is not “selling” personal information as that term is defined in the statute. If a sale does occur, the employer must disclose the sale to the employee and offer them the ability to opt-out of the sale through a “Do Not Sell” mechanism.
- Data security breach. Under the CCPA, if the sensitive information of a California employee (e.g., Social Security Number) is breached as a result of the employer’s inadequate data security, an employee may be able to initiate suit to recover statutory liquidated damages.4
If a consumer sends a request for deletion or a request for access via Twitter or other social media, does a business have to respond?
As an initial matter, the statutory text of the CCPA is somewhat unclear regarding a business’s obligations when it receives a request for access or a request for deletion in a non-standard format. The statute provides only that a business must “[m]ake available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.”1
Taken alone, the provision states that businesses may direct consumers to a finite number of “designated methods,” with the implication that requests submitted through non-designated methods are invalid and may be ignored. The proposed regulations, however, state the opposite—specifically, the regulations require that when a consumer submits a request through a non-standard method, the business must either “[t]reat the request as if it had been submitted in accordance with the business’s designated manner, or . . . [p]rovide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.”2
Thus, in the case of a request submitted by Twitter, at a minimum the business would be required to provide the consumer who authored the tweet with information about how to submit a valid request. It is also unclear as to the time period by which a business must respond to a non-standard request, since it is unclear whether a non-standard request, such as a Twitter request, meets the definition of a “request to know” or a “request to delete” under the regulations.3
Under US law, can an employer share the name of an employee infected with a contagious disease with other employees?
Nothing within the CCPA inherently prohibits an employer from sharing the names of employees that have been infected with a contagious disease with other employees who may have come into contact with the infected employee and, as a result, might take preventative measures (e.g., self-isolation). The CCPA arguably requires only that the business take the following steps:
- The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected. While it is not certain whether disclosure of the identity of an infectious employee would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with third parties (which, of course, would include fellow employees) for the purpose of protecting employees, protecting the public, or protecting other individuals.1
- In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”2 While it is not certain whether disclosing to an employee the name of an infectious person would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with employees to promote health and safety.3
It is important to note that other federal or state labor and employment laws may preclude a business from sharing the identity of a potentially contagious employee with other employees without the infected employee’s consent. For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”4 Although this confidentiality requirement is subject to certain exceptions, there is currently no exception for providing an employee’s confidential medical information to other employees for purposes of promoting their health and safety. As a result, if an infectious employee was recently around other employees many employers try to inform the employees that are at heightened risk that they have been exposed without specifically identifying the individual that exposed them.
Under US law, can an employer share with public health authorities the names of employees infected with a contagious disease?
- The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected. While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with federal, state, or local government agencies for the purpose of protecting employees, protecting the public, or protecting other individuals.2
- In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”3 While it is not certain whether disclosure to a public health authority would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with a government agency and identifying the categories of information that were shared.4
It is important to note that other federal or state labor and employment laws likely preclude a business from sharing information about potentially contagious employees with public health authorities. For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”5 Although this confidentiality requirement is subject to certain exceptions, the only government-related exception permits disclosure upon request to “government official investigating compliance with [the ADA].”6 Thus the ADA may prohibit a business from voluntarily disclosing information about an infected employee to state or local public health agencies. As a practical matter, most infectious diseases are identified by medical providers who may have an independent obligation to report the infection to public health authorities (e.g., the Center for Disease Control). As a result, public health authorities should not be reliant upon a company to provide information about infected individuals.