Reminder: California Employee Personal Data In-Scope of California Data Protection Law Effective Jan. 1, 2023 | Benesch

The Employee Data Exemptions that existed in the original CCPA will no longer be effective in 2023 as the scope of the data protection law expands under the CPRA.

Among its many changes was to strike the CCPA’s original employee data exemptions. Under the CCPA, the data protection requirements do not apply to personal information collected from a job applicable, employee, owner, director, officer, staff, etc. of a business; provided that the personal information collected is only used in the context of that person’s business role.

That exemption meant that businesses that may were not consumer facing, or where only collecting small amounts of consumer personal information—outside of their employee base—likely did not have to comply with the CCPA’s requirements. Additionally, even businesses who were within the scope of the CCPA did not have to include their employee personal information in their compliance efforts.

However, the CPRA amends the CCPA and phases the exemption out. Beginning Jan. 1, 2023, businesses that fall within the scope of the CCPA must meet the CCPA’s requirements even for collected employee personal information that is only collected and used in the employment context.

This also means that businesses who have large employee bases in California who otherwise did not originally fall within the scope of the CCPA, might fall within the scope of the CCPA moving forward.

Original Exemptions

The main employee personal information exemption under the original CCPA exempted all personal information collected about an individual acting in their job applicant, employee, owner, manager, contractor, etc. role. But this exemption only operated where the personal information was only collected and used in the context of the individual’s employment role.

The original CCPA also extended two more related exemptions and exempted: (i) personal information collected by a business as emergency contact information, provided such information is only used for emergency contact purposes; and (ii) personal information that is necessary for the business to retain and administer employee benefits, provided such information is only used for such purposes.

All three exemptions expire on Jan. 1, 2023, meaning businesses will need to ensure they are in compliance with the CCPA’s requirements with regard to any and all employee, or employee-related, information.

Scope and Requirements

As a reminder, the CPRA also amended the CCPA’s applicability thresholds (e.g., what businesses need to comply with the data protection requirements.

Under the CPRA, the CCPA’s requirements apply to any for-profit business that target’s California consumers and meets one of the following three thresholds: (i) has over $25 million in annual gross revenue (in the aggregate, not just in California revenue); (ii) buys, sells, or shares 100,000 or more consumers’ personal information; or (iii) derives 50% or more of its gross revenue (in the aggregate) from selling personal information.

Once a business is in scope, they must treat all in-scope personal information in compliance with the CCPA. This will now include applying the CCPA’s requirements to employee personal information.

Businesses must, among other requirements: (i) provide full and proper notice to job applicants, employees, contractors, etc. informing them of how their information is collected, used, and the rights they have over such information (likely through a form of hard copy or click through privacy policy); (ii) build out internal policies and procedures to afford employees, job applicants, contractors, etc. the same CCPA rights afforded to other California consumers; and (iii) ensure contracts with vendors who process such information on the businesses behalf, properly contemplate CCPA compliance.

In relation to the rights afforded to job applicants, employees, contractors, etc., the CPRA amends the CCPA to include the following rights to: (i) know or access the personal information a business is collecting about them; (ii) delete the personal information a business is collecting about them; (iii) opt-out of the selling or sharing of their personal information; (iv) to not be discriminated against for exercising any of their rights; (v) to correct or rectify any inaccurate personal information that is collected about them; and (vi) to limit the use and disclosure of sensitive personal information.

These rights largely overlap with the current CCPA rights; however, some are new (i.e., the sensitive personal information rights) and those become operative on Jan. 1, 2023, as well, in tandem with the employee data exemptions expiring.

Moving Forward

Similar to when the CCPA became effective in 2018, businesses will once again need to analyze whether the CCPA (as amended by the CPRA) will not apply and to what information it will regulate.

With the exemptions expiring, more businesses will likely be considered in-scope of the CCPA, and more information will undoubtedly be considered in-scope as well.

It is also important to note that the expiring exemptions will also mean businesses need to treat employee emergency contact or benefit beneficiary information in compliance with the CCPA, leaving open the question of how to meet those compliance requirements as businesses do not have a natural moment to provide, or direct relationship with, emergency contacts or benefit beneficiaries with the notices required.