The Future of Employee Data Under California Consumer Privacy Act (CCPA)

When we think about privacy regulations, our first thought centers around the protection of consumer data. That most organizations should also keep in mind is that these data privacy laws also pertain to protecting your employees' data as well.

According to employment attorneys Jessica Gross and Justine Philips, there are two points that the HR department of an organization needs to keep in mind with regards to staying compliant with the CCPA:

1. "It requires mandatory privacy notices and disclosures about the data collected by employers and purpose for the collection."
2. "It provides for statutory damages ranging from $100-750 if sensitive personal information is breached."

The organization's HR department has a huge responsibility and stake in keeping the organization compliant with data privacy regulations. If the organization fails to fulfill the aforementioned points it could result in non-compliance, which means penalties, both as statutory damages and fines along with reputational damage.

Employees and potential employees are both very concerned about how their personal information is being collected and captured by their employers. And employees will not hesitate to go to court to enforce their rights. Thus employers should work to implement all responsibilities on employment data imposed by data privacy regulations such as the CCPA.

This article will talk about the importance of employee data under the CCPA and steps that can be taken to comply with this regulation.

Employee Data Under the CCPA

While it is true that employment data was excluded from many of the legal obligations and requirements of the CCPA, as per a time-sensitive exemption brought by the California Legislature via Assembly Bill No. 25, there are still some obligations on employee data under the CCPA which are enforceable right now and which businesses have to follow to avoid violation and potential penalties.

Under Section 1798.145(h)(3) of the CCPA, since Jan. 1, 2020, a notice must be provided to employees by employers, at or before the point of the collection of personal information.

Under Section 1798.100(b) read along with CCPA Regulation § 999.305.(f) this notice to employees needs to include the following information:

• Categories of personal information that will be collected.
• Commercial or business purpose for collection of personal information.

It is important to note that the notice should be:

• Prominent and readily available where employees will encounter it at or before the point of collection of any personal information. For example, if the employer is monitoring its employees physical actions via CCTVs, it must inform them with prominent signage within the physical location.
• Using plain and straightforward language and should be in a language in which business is ordinarily conducted.
• Reasonably accessible to consumers with disabilities. For example, for online notices, it should follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium.

It is important to note that a business shall not collect categories of personal information other than those disclosed in the notice at the time of collection. If the business intends to collect additional categories of personal information, the business shall have to provide a new notice when collecting the new information.

Furthermore, Section 1798.150, which applies to employee data, means that businesses are liable for undertaking adequate and reasonable security measures to protect the data of their employees. Because, if unredacted or unencrypted employee personal information is breached, due to the employers’ failure to take reasonable security measures, they will have to face civil actions brought by the employees. Under Section 1798.150, damages in suits brought by aggrieved individuals in such cases of a breach can be granted $100-$750 in statutory damages or actual damages (whichever is higher). Thus, employers must make sure to protect employee data as it protects consumer data to avoid facing penalties under the CCPA.

Steps Towards Compliance

In order to have a strong HR strategy, the team must first interpret the applicable state law and then ensure compliance with that law.

Understand what laws apply to your organization

Data privacy laws such as the CCPA are constantly evolving (take, for example, the CPRA amendment), so it’s important for the HR department to stay on top of all the regulatory amendments. It is advised to have automated alerts set up in order to inform the organization about new and changing cybersecurity and data privacy laws.

Assess your organization's compliance requirements

Privacy regulations can differ based on industry, location, and types of data being processed. It is paramount that the organization is aware of the compliance requirements of laws that apply to them.

Expand your knowledge base

Becoming well-versed about privacy regulations can help keep your employees updated about their data rights. A better understanding of data privacy will lead to more effective leadership on how these regulations can potentially impact a business.

Set expectations with staff

The HR department needs to make its staff aware of the importance of protecting an individual's sensitive information and how they can balance individual privacy concerns against the privacy requirements of running an organization.

Maintain transparency

HR professionals are required to maintain transparency on the data they have collected. This will promote trust among employees and third parties and also help the company stay compliant with privacy regulations.

Conclusion

Organizations today are collecting more and more data, whether that be from their consumers or their employees. Privacy regulations such as the CCPA require organizations to keep track of data collected from their own employees and in turn protect this data from being responsible custodians.

The past shows that doing this through manual methods, although maybe possible, is a tedious task, and organizations are encouraged to automate their operations.  With the constant evolution of privacy regulations, automation is the only way an organization can keep up.

Seucriti offers organizations a fully automated solution that can help them easily detect personal data, map it to the owner, and keep it protected. This helps comply with several privacy requirements such as DSR fulfillment and “adequate security” of the stored data. Securiti recently joined hands with Workday, enabling Sensitive Data Intelligence-driven Security, PrivacyOps, Governance, and Compliance for sensitive employee and financial data in Workday.  This is a huge step towards protecting employee data on a global scale.

The Securiti Sensitive Data Intelligence Solution will help organizations comply with privacy requirements, by offering the following functionalities:

1. Discover & catalog shadow and sanctioned assets
2. Extract and catalog asset metadata
3. Detect sensitive and personal data
4. Catalog, classify & tag sensitive data
5. Identify high-risk data
6. Built a graph between data and its owners
7. Scale to petabyte volume with high accuracy
8. Map data to compliance and regulations

Learn more about how Securiti can help you comply, watch a demo today!