Revisit an Employee Personal Data Protection Policy After CCPA

Published On February 27, 2020

As businesses subject to the California Consumer Privacy Act (CCPA) develop and implement policies and procedures to comply with the law, they may want to revisit, or develop an employee personal data protection policy. In the rush to adhere to the CCPA — which became effective on Jan. 1 and will be enforced by the California attorney general as of July 1 — some organizations may have put off the delicate matter of employee personal data.

Businesses received a reprieve from certain aspects of the CCPA back in the fall of 2019 when California’s governor approved an amendment that exempts certain human resources-related data. But the reprieve is only temporary. Generally, personal data collected by organizations from job applicants, employees or contractors will not be subject to the CCPA’s requirements until Jan. 1, 2021, with some exceptions. The exemption just applies to personal data collected in an HR context. Plus, the private civil action provision of the CCPA still applies, as does the requirement to inform consumers about the categories of personal information collected. Yes, it’s complicated.

Why Address an Employee Personal Data Protection Policy Now?

Although the proposed regulations that implement the CCPA are not yet, as of this writing, finalized and have already been revised in part, the calendar continues its all-too-rapid march toward the July 1 date, by which the California attorney general can enforce the law, and the Jan. 1, 2021 date when the HR data exemption ends.

While organizations subject to the CCPA generally have to delete a consumer’s personal information upon request, they will need to give more thought to personal data deletion requests from employees, job applicants or contractors and to the context in which those individuals’ personal data was collected.

Consider Your Data Backup Strategy

As part of their compliance efforts, organizations subject to the CCPA have likely conducted a data-mapping exercise to determine where personal data is collected, stored, used and eventually disposed.

Backed-up data should not be overlooked. It, too, is captured by the CCPA’s requirements. Given the length of time that organizations have been backing up data and the multiple technologies they may have used over the years to do so, now is probably not the time to procrastinate the mapping of backed-up data. It is possible that backed-up information may not be easily searchable for personal data.

Whether an organization backs up data using offsite storage, cloud storage or both, it may want to revisit its data backup strategy in light of the CCPA and get extra help in doing so. Knowing where personal data is backed up, and being able to differentiate between employee personal data and consumer personal data, have become more vital in the wake of the CCPA and in anticipation of similar laws in other states and regions.

Reassess Disposal of Personal Data

Since the CCPA gives consumers the right to request the deletion of personal information but exempts certain HR data, at least for a while, organizations might consider including employee data in any reassessment of their personal data disposal practices. Some overlapping requirements, both in the CCPA and other applicable laws and regulations, can make data disposal practices challenging. Even determining what “data disposal” is — and whether it requires complete destruction, erasure, data anonymization or de-identification — can be a multilayered and complicated activity.

As circumstances allow, organizations may want to develop and implement a shred-all program for paper as they move to digitization and cloud storage — to the extent that applicable legal requirements allow them. Here, too, an entity might seek expert assistance for help in customizing its document retention rules.

Similarly, e-waste disposal policies and procedures may merit a second look to ensure that employees’ personal data is addressed appropriately. Tackling some of the more nuanced and thornier elements of data privacy requirements can now ease an organization’s path toward compliance.