On August 31st, the California legislative session notably adjourned without the enactment of Assembly Bill 1102. This bill would have extended the exemption for the inclusion of employee and B2B personal data within the California Privacy Rights Act (CPRA).
Without the exemption in place, compliance and governance around B2B and HR personal information will become enforced as of January 1st, 2021. Essentially, organizations will need to treat B2B and HR data with the same level of care and security controls as they do consumer’s personal information.
This is a huge move in the world of US privacy laws, bringing the CPRA more in line with the General Data Protection Regulation (GDPR), which already includes provisions for employee and B2B data.
Right now, there’s not much organizations have to do with regards to employee and B2B data under the California Consumer Privacy Act (CCPA). Their only duties center around maintaining reasonable security controls to protect this data and providing a notice during or prior to the time this data is collected.
When the CPRA comes into force,things will change drastically. In preparation, organizations will need to reconfigure their privacy policies, put the infrastructure in place for access requests, ensure they can facilitate right to deletion requests, and more.
If your organization falls within the scope of the CPRA, you need to start preparing for these expanded obligations immediately. 2023 is not as far away as it looks.
To help you, here’s everything you need to know about the inclusion of employee and B2B data within the CPRA.
What is the CPRA?
Before we dive into the upcoming provisions within the CPRA, here’s a quick recap of what the law is. The CPRA extends the California Consumer Privacy Act (CCPA). On top of the regulations in the CCPA, the CPRA gives citizens the right to edit and update personal information that is inaccurate, limit how companies use and disclose data about them amongst other things.
As well as this, it puts increased demands on companies to implement special controls to protect highly sensitive data, such as social security numbers and biometric information.
What are the requirements under the CPRA for HR and B2B data?
With the exemption no longer in place, the CPRA will require organizations to:
- Craft privacy notices to the standard of the CPRA, including details about the collection and usage of employment-related and B2B data
- Honor employee requests with regards to the right to know, right to deletion and right to collection, along with the right to op-out of sale or disclosure of this data for advertising purposes. Note, these rights extend to data collected through employee monitoring software.
- Answer employee questions about where, when, and why their company is using their personally identifiable data.
What is HR and B2B data within the CPRA?
Under the CCPA, organizations should already have stringent data protection practices in place for past employees and applications. In regards to the CPRA, these practices are extended to any and all employee-related and B2B personal data.
Personal information is defined generally as any data that can be used to identify an individual or be reasonably linked to them. Names, addresses, social security numbers and driver’s licenses are all considered personal data.
Within the context of employees and the workplace, the following information will also fall under the CPRA: employment contracts, resumes, biometric data, identification badges, surveillance footage and data used for workforce management (e.g. talent management system).
As a side note, it’s worth noting that the CPRA will maintain existing carve-out applications, where it is superseded by other federal state privacy laws, as in the case for HIPAA.
The challenges of HR and B2B data becoming subject to the CPRA
Needless to say, achieving 24/7 visibility, security and compliance for this kind of data is going to be a challenge for organizations. Looking at your own business, you probably collect vast amounts of data relating to employees and job applications each month.
To make matters more complex still, the rise of cloud computing applications like Slack and Google Workspace mean that employee and business data is all over the place, making it harder than ever before for IT teams to maintain compliance with regulations like the CPRA.
Five steps to meet the requirements of the CPRA
Finding a way to maintain vigilant control over your employee and B2B data is going to need a strategic approach and specialist tools. Here’s what you need to do:
- Map your data: You can’t protect what you don’t know about. It’s therefore vital to undertake data mapping to create an accurate, thorough inventory of your employee and business data, and the processes for storing and collecting it.
- Amend your data classification policies as needed: Under the CPRA, HR data is often considered sensitive and therefore requires greater protections. Make sure you align your data classification policies to the definitions outlined in the CPRA.
- Update your data processing agreements (DPAs): You likely work with numerous partners and software vendors who could previously process HR data without the worries of compliance fines, as this information was exempt. You’ll need to update your DPAs to ensure that all data processing is lawful under the CPRA.
- Be prepared for data subject requests from employees: You will need to extend your data subject right procedures to include employee data.
- Adapt your training programs: Employees will need to be aware of the CPRA’s additional requirements, and how this impacts expectations around interactions with HR and B2B data.
Simplify CPRA compliance and data security
The addition of employee and B2B data within the CPRA creates additional regulatory complexities for companies. Organizations will need to innovate to comply with the upcoming regulation.
The most cost-effective way to advance compliance is through a cloud-based data classification and data loss prevention (DLP) tool, like Polymer DLP.
Polymer DLP automates the process of compliance and data security across your cloud apps, using artificial intelligence and a self-learning engine to automatically identify, secure and redact sensitive data that falls under the CPRA.
Schedule a demo to learn how Polymer DLP can help you with CPRA compliance.