HR Data in the Crosshairs: Fall 2022 Technology Policy Outlook

In certain cases, a measure that doesn’t pass has as great an impact as signed legislation. This week, California legislators failed to extend an exemption of HR data from most of the provisions of its consumer-focused privacy law—meaning that, as of January 1, 2023, the full suite of privacy rights granted under the California Consumer Privacy Act (CCPA) will apply to employees, job applicants, and contractors who are residents of California.

Previously, the only application of the CCPA in the HR context has been some privacy notice and breach remediation provisions. This term, the California legislature considered a number of bills to address or extend the CCPA’s HR data exemption, with labor unions, privacy advocates, and the business community seeking to reach a deal. Unfortunately, no deal was reached. As a result, companies must now untangle the implications and respond to the new compliance requirements. Below are our top five takeaways for HR leaders:

1. Get used to the term, “Data Subject Access Request” (DSAR). Beginning January 1, employees, applicants, and contractors will have the right to know, correct, and delete their personal information held by an employer, or by the employer’s vendor on the employer’s behalf.  Employees will also gain the right to opt out of the sale or sharing of their personal information by their employer and employer’s vendors and to restrict the use of their sensitive personal information, and not be retaliated against for exercising these rights. Several of these rights come with critical limits and exceptions (for example, an employer will not have to honor a request to delete data needed to comply with other laws, to complete a transaction, or defend a legal claim). The CCPA has a 12 month look-back period, meaning all data collected about employees in 2022 is also covered. Additionally, employers will have to comply with notice and privacy policy obligations with respect not only to their own employees, but also their independent contractors and applicants.
   
   
2. The HR function is about to get more technical. Compliance with the CCPA will require cross-functional cooperation between HR, legal, and IT teams. Companies will have 45 days to fulfill data subject requests, and the countdown begins as soon as an employer receives such a request. Various company functions will have to work together to design procedures and policies for handling these and other new requirements—for example, on data minimization (how long do you need certain HR data), determining how to handle requests to delete data, and the development of CCPA-compliant privacy policies.
   
   
3. Folding HR data into CCPA compliance programs will be a tall task for many companies. The California Consumer Privacy Act was designed with consumers—not employees—in mind, and thus compliance will require special consideration by employers. For starters, companies will need to beef up data mapping, train HR and legal teams to handle employee requests, develop policies and procedures around such requests, and install verification processes to ensure information is provided to individuals who have a right to it.
   
   
4. This development assures future policy developments in the HR privacy space. Current proposed CCPA regulations do not contain any mention of the employment context, but it will be no surprise if future rulemakings do. California’s new California Privacy Protection Agency was conceived and designed as a consumer protection agency. Now, it will find itself in the middle of workplace controversies. Regarding future legislating at the state and federal level, the seal has been broken, and now all eyes will look toward California to gauge the success (or lack thereof) of what amounts to a new HR privacy law. Depending on the reaction of the California employer community to these challenging new requirements, there could be another push to reach a compromise acceptable to all parties, thought its enactment would have to wait until after the law takes effect on January 1. Meanwhile, the fact that the CCPA will already be in place for HR data will minimize the leverage those employers have to arrive at a more acceptable scheme. At the federal level, many but not all current proposals would exempt HR data. (Interestingly, a federal law preempting state law and excluding HR data, such as the ADPPA, could turn the CCPA into strictly an employee privacy law). Yet as with many issue areas, the states will prove to be the testing ground for HR privacy policies. One California bill introduced earlier this year—AB 1651—proposed a broad array of HR data restrictions and requirements, including the banning of certain uses of AI, requirements to submit HR technologies to lengthy audits by independent assessors, and the ability of DSARs to be submitted through an “authorized representative” of an employee who is not the employer. Which leads us to the final takeaway:
   
   
5. For a preview of what’s to come, look to Europe. California’s CCPA contains many similarities to the EU’s General Data Protection Regulation (GDPR). For example, under GDPR, employees have the right to access data, a right to “objection” (i.e., object and thereby require employers to cease processing personal information for particular purposes), right to correction, and the right to delete. Therefore, the EU may provide a preview of how DSARs will be used by current and former workers. One area employers may want to pay attention to is the use of DSARs by European Works Councils as a strategy to apply pressure to companies.

California’s CCPA is now, in effect, the first comprehensive privacy law to apply to HR data in the U.S. The employer community will be challenged to make compelling arguments to align any future policy efforts in this area with realistic assessments of how the workplace actually works—and whether certain proposals are necessary in the first place.