Following in the footsteps of the EU’s General Data Protection Regulation (GDPR), California has enacted a new law granting California residents greater oversight and control over the information organizations, including their employers, collect about them. Although not as extensive as the GDPR, the California Consumer Privacy Act of 2018 is considered by many legal experts to be the strongest, most sweeping data privacy law in the United States.
The law compels organizations to respond to individual inquiries, reveal any information it has collected about California residents, and disclose any third parties with whom it has shared that information. Residents can refuse to allow the sale of their information.
Finally, the law provides for a private right of action in the event of a violation of its provisions or a data breach, and also allows the state’s attorney general to prosecute and fine organizations.
The law is geared towards large companies, not mom-and-pops. Only businesses that have annual gross revenue of over $25 million, maintain information on more than 50,000 consumers, households or devices, or earn more than half their annual revenue from selling California residents’ personal information will be required to comply with the law.
The law refers to “consumers” and makes no mention of “employees” in its language; however, the term “professional or employment-related information” is included and the definition of “consumer” is so broad as to likely give data privacy rights to employees with respect to their professional records.
The GDPR, which likely inspired the California law, definitely applies to employees. Upon request, employers must supply them with all the data it has collected about them, including any emails referring to the employee, performance reviews, job interviews, payroll records, absence records, disciplinary records, computer access logs, CCTV footage, and recordings of phone calls.
Although the California law does not appear to have been written with employers in mind, it doesn’t specifically exclude them either. Some provisions will likely not apply; for instance, an organization has to retain some data on its employees for business and record-keeping purposes, so the right to deletion would not apply there. Similarly, it is rare for employers to sell employee data. Perhaps by the time the law goes into effect-January 1, 2020-the state legislature will clarify its intentions. In the meantime, HR departments should prepare so that they won’t be caught flat-footed.
Under the California law’s “right of access” provision, businesses are required to provide upon request all personal information they have collected about a consumer within 45 days, free of charge. The right of access covers only the 12 months preceding the request.
Companies must also delete personal information upon request, but this does not apply to information that the IRS or other regulatory agencies require them to keep.
If it applies to employees, the right of access provision would be very tough to follow without some sort of automated document management system. Automation allows companies to quickly locate specific pieces of information employees request, such as performance reviews, emails, or health data collected by a company wellness program. Some automated systems allow employees to obtain documents on their own, further easing the burden on HR.
An automated system can also help with compliance, gathering and sharing documents for audits and alerting the company if anything is missing or expired.
Like the GDPR, California’s law holds companies responsible for data breaches. Under the California law, companies can be fined between $100 and $750 per affected consumer per incident.
To avoid problems, sensitive employee data should be encrypted and two-factor authentication should be required for any data requests. You can also set up secure virtual data rooms where information can be shared securely with employees or regulators.
Within the HR department, you should limit access to sensitive information to those with a true need to know. Work with your security team to develop a risk policy for confidential information and review it regularly.
Although California’s law is the most extensive, most states have enacted privacy laws to protect personal data such as social security and drivers’ license numbers.
Like California, they may strengthen their laws. Citizens are increasingly questioning companies’ use of their information and demanding greater visibility and control, especially in the wake of the Facebook/Cambridge Analytica scandal.
Even before that, concern was growing. In a 2016 Pew Research Center study, 65 percent of respondents said that it was “very important” to control information collected about them, and 91 percent said they felt they had lost that control.
California’s law and the GDPR are only the latest manifestations of a trend that is increasingly tilting privacy law in favor of individuals. To prepare for the future, companies should develop the capacity to respond securely and efficiently to individual data requests. Just as it pays to be ahead on the technology curve, it is wise to stay a step or two ahead of the law.
Be an informed HR professional – learn more about the basic principles of GDPR in this on-demand webinar.
Elisabeth Koury leads the privacy practice at CyberScout Solutions. She brings over 6 years of experience helping organizations reach their privacy goals, beginning as an extern for the International Association of Privacy Professionals. Since then, she has tracked privacy legislation worldwide for third-party digital advertisers, performed readiness assessments and compliance audits for Fortune 100 companies in the retail, pharmaceutical, and technology industries, reviewed contracts for information management terms for a Big Four firm, and served as in-house counsel at a privacy software startup. Beth holds a JD with honors from the University of Maine School of Law. She is a CIPP/US and is currently studying to become a CIPP/E and CIPM.