How can a business distribute an employee privacy notice to job applicants?

Beginning in 2020, the CCPA required that businesses subject to the Act provide job applicants with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.¹ Beginning on January 1, 2021, employers are required to include twelve additional topics in privacy notices given to job applicants.

While the CCPA does not dictate the manner in which a privacy notice should be distributed to job applicants, many employers consider using one or more of the following distribution techniques:

Homepage. Some employers include references to the personal information collected from job applicants in a unified privacy notice posted on the company’s homepage in a persistent footer.
Online application submission form. Businesses that solicit applications through an online submission form often add a link to the privacy notice that describes the collection of information from job applicants on the form submission page.
Email. Some employers email a copy (e.g., PDF) of the privacy notice that applies to job applicants to each candidate that submits an application.
URL on paper applications. Some employers that accept paper job applications include a reference to where the applicant can find a full copy of the business’s privacy notice on the paper application form.
Copy on paper applications. Some employers include a copy of either the full privacy notice, or a short form privacy notice, on any paper application forms.

It is important to note that regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to job applicants with disabilities.² The Modified Proposed Regulations also imply that if a business elects to distribute a privacy notice in hard copy (e.g., copy on the back of a paper application), it may still need to post an electronic copy of the privacy notice “online.”³

How can a business distribute an employee privacy notice to current employees?

Beginning in 2020, the CCPA required that businesses subject to the Act provide their employees with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.¹ Beginning on January 1, 2021, employers are required to include twelve additional topics in employee privacy notices.

While the CCPA does not dictate the manner in which a privacy notice is distributed to employees, many employers consider using one, or more, of the following distribution techniques:

Computer log-in notice. Some employers add a link to the employee privacy notice on the log-in screen of all workstations.
Email. Some employers email a copy (e.g., PDF) or a link (e.g., internal SharePoint) of the employee privacy notice to all employees at least once a year.
Employee handbook. Some employers include a copy of the employee privacy notice in the employee handbook.
Open enrollment. Some employers include a link to the employee privacy notice on the page or portal used by employees to select, or confirm, their benefits elections each year.
Paper Distribution. Some employers distribute a hard copy of the privacy notice to each employee, or post a copy of the privacy notice in a public space available to employees (e.g., break rooms).

It is important to note that, regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to employees with disabilities.² As a result, if some employees do not have access to some format as a result of a disability (e.g., visually impaired employees might not utilize computers or email), a business may need to consider alternative methods of communicating. It is also important to note that the Modified Proposed Regulations imply that even if a business elects to distribute a privacy notice in hard copy (e.g., paper distribution) it may still need to post an electronic copy of the privacy notice “online.”³

The distribution technique that is best suited for a particular company may depend on a number of factors, including whether employees have access to computers at work, maintain work email addresses, receive benefits, or have access to an employee handbook.

Does an employee facing privacy notice need to contain different types of information from a privacy notice provided to other types of consumers?

It depends.

The CCPA applies to the personal information of California employees of a business that is subject to the statute. The specific rights afforded to employees were set to phase-in throughout 2020.

Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” ¹ While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures. These only apply to employee-privacy notices beginning on January 1, 2021. The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:

Privacy Notice Disclosures Required as of January 1, 2020 In All Privacy Notices (e.g., employee and non-employee)
1. Identify the enumerated categories of personal information collected.²
2. Identify the general purpose for which information will be used³

Privacy Notice Disclosures Required as of January 1, 2020

In All Privacy Notices (e.g., employee and non-employee)

1. Identify the enumerated categories of personal information collected.²

2. Identify the general purpose for which information will be used³

Additional Privacy Notice Disclosures Required as of January 1, 2020 in Non-Employee Privacy Notices and as of January 1, 2021 in Employee Privacy Notices
1. Explain the ability of a California resident to request access to their personal information.⁴
2. Identify the enumerated categories of personal information shared with services providers.⁵
3. Identify the enumerated categories of personal information sold to third parties (or affirmatively state that the business does not sell personal information).⁶
4. State that a California resident has the ability to opt-out of sale of information (if applicable).⁷
5. Provide contact information that can be used to request access, deletion, or opt-out (if applicable).⁸
6. Explain the ability of a California resident to request deletion of their personal information.⁹
7. Provide general information concerning the sources from which personal information was collected.¹⁰
8. Provide general information concerning the third party recipients of personal information¹¹
9. Explain in general terms the process used to verify or authenticate a California resident that requests access to, or the deletion of, their information.¹²
10. Explain that California residents will not be discriminated against if they choose to exercise one of their rights under the CCPA.¹³
11. Explain how an authorized agent can make a request under the CCPA on behalf of a California resident.¹⁴
12. Provide contact information for how questions or concerns regarding privacy practices can be raised with the business.¹⁵

The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents. In essence, it can be thought of as a “short form” privacy notice. After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.

Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?

No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.¹

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.²

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

GDPR

CCPA

There are no specific requirements governing the methods by which a data subject can submit a request.
A business should provide methods for requests to be made electronically, especially where personal data is processed by electronic means.³

Access:

If a business only operates online, it is only required to provide an email address.⁴
If a business is not only online, it must provide, at a minimum, a toll-free number and a website address.⁵
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.⁶

Opt-out:

A business must provide a link on the homepage titled “Do Not Sell My Personal Information.”⁷
A business must provide at least two methods for submitting requests (no exception for online-only).⁸
One of the methods must be an interactive form accessible through the “Do Not Sell” link.⁹
At least one method to opt-out must reflect the manner in which the business primarily interacts with the consumer.¹⁰
The business must treat user-enabled global privacy controls as a valid opt-out request.¹¹
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.¹²

Delete:

A business must provide at least two methods for submitting requests (no exception for online-only).¹³
If a consumer submits a request in a manner that is not a designated submission method, the business must either treat the request as if it was properly made or it must instruct the consumer on how to properly make the request.¹⁴

Are the verification requirements for access and deletion requests the same under the CCPA as they are under the GDPR?

No.

Both the CCPA and the GDPR provide individuals with a right to request access to their personal information and a right to request the deletion of their personal information.¹ As a result, businesses that field rights requests are required to ensure that the requestor is indeed the individual he or she is claiming to be. The failure to properly verify an individual, and the subsequent unauthorized disclosure, can trigger data breach provisions under both laws.

While the GDPR provides high-level guidance on how to verify the identity of a requestor, the CCPA and the accompanying Proposed Regulations are more specific in their requirements. ² Below is a comparison of the requirements for verifying the identity of a requestor under the GDPR and under the CCPA.

GDPR

CCPA

General Rules:

There are no specific requirements for the verification of a requestor.
If a business fails to properly verify the identity of a requestor, and ultimately discloses a consumer’s personal information to a third party without the consumer’s authorization, this will trigger the GDPR’s data breach provisions.
If there are doubts concerning the identity of an individual, the controller may request additional information.
The controller must use all reasonable measures to verify the identity of a data subject who requests access to their information.
A business must establish procedures for verifying the identity of a requestor. This implies that the procedures must (or should) be documented and complied with.

General Rules:

If a business fails to properly verify the identity of a requestor, and ultimately discloses a consumer’s personal information to a third party without the consumer’s authorization, this may or may not trigger the CCPA’s data breach provisions.
A business shall avoid requesting new information for verification unless it is necessary to complete the verification.⁵
Any additional information collected for the purposes of verification may only be used to verify the individual.⁶
A business must establish, document, and comply with a reasonable method for the verification of requests.⁷
A business cannot require the consumer to pay a fee for the verification of their identity. This includes requiring a consumer to provide a notarized affidavit (unless the business compensates the consumer for the cost of notarization).⁸
If the consumer maintains an account, the business may verify their identity through that account using the business’ standard verification measures.⁹

Access:

If a specific information-access request is denied, the business must evaluate the request as if it were a category-access request.¹⁰
A business must verify individuals who submit category-level access request to a reasonable degree of certainty, which may include matching at least two data points.¹¹
A business must verify individuals who submit specific-information access requests to a reasonably high degree of certainty, which may include matching at least three pieces of personal information.¹²

Opt-Out:

A request to opt-out does not need to be verifiable.¹³

Deletion:

A business must verify individuals who submit deletion request to a reasonably high degree of certainty, which may include matching at least three pieces of personal information.¹⁴

Is a business required to delete only 12 months of consumer information in response to a request to be forgotten?

Does a business need to post a “do not sell” link if it does not sell personal information?

What steps must a business take if it sells personal information?

Are companies required under the CCPA to get employees’ consent before collecting their personal information?

No.

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information. The concept of consent only arises within the CCPA if a company intends to sell information. In that context, consent applies in two situations when dealing with employees:

Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood. The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.¹ In other words, if an employee consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.²
Sale of information about minors. The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer has “affirmatively authorized the sale” of personal information.³ In other words, opt-in consent is needed to sell the information of a minor-employee. Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph the information transfer might not be a “sale” at all.
Re-soliciting the ability to sell. The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”⁴ As a result, if a company sells the information of its employees, and provides employees a do not sell option, it is not permitted to ask those employees that opt-out for permission to sell for 12 months.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code § 1798.140(t)(2)(A).

2. Cal. Civil Code § 1798.140(t)(2)(A).

3. Cal. Civil Code § 1798.120(c).

4. Cal. Civil Code § 1798.135(a)(5).

What does a Human Resources Director need to know about the CCPA?