CCPA Employer Exemptions Set to Expire

CaliforniaCCPACPRAUS Data Privacy LegislationUS Regulatoryworkforce protections
Written By Jason Shoup

On August 16, California Assembly Member Cooley introduced amendments to Assembly Bill 1102 (AB1102) that would extend the California Consumer Privacy Act’s (“CCPA”) temporary exemptions for the collection of personal information derived from job applicants, employees, and contractors (collectively, the “workforce”) for an additional two years until January 1, 2025. Under the CCPA, these exemptions are currently set to expire on January 1, 2023. On August 31, the California legislature adjourned without issuing an extension of the temporary exemptions.

With the exemption expiring, and the California Privacy Rights Act (“CPRA”) amendments  set to take effect on January 1, 2023, workforce members will have the same privacy rights as all other consumers, including:

  • Restrictions on the collection and business use of their personal information for only the “reasonably necessary” purposes given to the data subject at the time of collection;

  • The right to request the disclosure of:

    • The categories of personal information collected;

    • The sources of such information;

    • Third parties that received the information, and;

    • Which information was sold/shared and to third parties.

  • The right to request the deletion of improperly collected personal information; 

  • The right to request the correction of any inaccurate personal information retained by the business;

  • The right to opt-out of the sale or sharing of their personal information with any third parties; and

  • The right to direct a business to limit the use, sale, or distribution of sensitive personal information to only those uses which are necessary to perform the service or provide the goods reasonably expected by the consumer.

If AB1102 should pas in the future, it would prohibit employers of more than 100 employees from:

  • Monitoring the activities of employees when off premises, off duty, or not performing work-related tasks, unless the employee consents to the monitoring or if their personal information is related to the administration of their wages or benefits;

  • Collecting personal information of employees for the “sole purpose” of identifying if the employee is engaged in labor union related activities;

  • Knowingly contracting with, or otherwise requesting, a vendor who engages in activities prohibited by AB1102; or

  • Discriminating against employees for exercising their right not to be monitored.

Considering this regulatory gray area, covered entities under the CPRA should consider examining their existing privacy policies and practices to ensure compliance with the emerging privacy requirements. Specifically, covered entities should:

  • Review their data inventory of personnel and business contact personal information and sensitive personal information;

  • Update CCPA notices and privacy policies for personnel and business contacts to ensure that they appropriately disclose the categories of information that will be collected and the purposes for said collection; and

  • Establish processes for personnel and business contacts to submit CCPA requests.

* * * * * * *

To read our news alerts discussing: Indonesia pass their Data Privacy Law, TikTok facing $29 Million fine from UK, Airlines seek privacy regulation, and Massachusetts delays Privacy Law, click here.

This week’s breach report covers breaches of the following companies: Optus, Watchfinder, Zoho Flaw, OneTouchPoint, and Humana. Click here to read more.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

This week our guest, Carlos Solari, VP of Product for SecureG, Inc., will join our host Jody Westby to discuss t 5G availability, how an orchestrated 5G attack could occur, how to rethink the security problem with 5G, and how 5G is connected to national security. New episodes are generally released each week, here. They can be enjoyed on Spotify and Apple Podcasts.

Our most recently released episodes:

78 | The Nexus Between Privacy, Cybersecurity & National Security

77 | Privacy & Cybersecurity Whistleblowers: A New Trend?

76 | Privacy Governance v. Cybersecurity Governance

Don’t forget to subscribe!

Jason Shoup
Previous

News Alerts and Bleach Report for Week of October 3, 2022
Next

News Alerts and Breach Report for Week of September 26, 2022