As of January 2023, the California Consumer Protection Act (CCPA) will extend its coverage to employee data via the enactment of The California Privacy Rights Act (CPRA). This update to the CCPA has similarities to the inclusion of employees’ personal data within the General Data Protection Regulation (GDPR) of the European Union. This article will help employers understand when they must obtain employee consent before collecting their personal data.
How do the CCPA and CPRA affect employee data collection?
The CCPA is a law that covers privacy rights and consumer protection for California residents. It grants several rights to consumers, including the right to know of personal information collected by a business, the right to delete personal information collected from the consumer, and the right to opt-out of the sale of personal information. The CPRA builds upon the CCPA and extends these rights to employees. Additionally, employers under the CPRA must issue a privacy notice to an employee at or before the time their personal information is collected. Further, if personal data is shared with a third party, the employer must enter into a data protection agreement with the third party to protect their employees’ information, as of January 2023.
Which businesses are subject to the CCPA and CPRA?
Businesses that are for-profit and conduct business in California and meet at least one of the following criteria:
- Businesses with annual gross revenue of over $25 million, or
- Businesses that annually buy, sell, or share the personal information of 100,000 or more consumers or households, or
- Businesses that derive at least 50% of their annual revenue from selling or sharing consumers’ personal information
How does the GDPR affect employee data collection?
The GDPR is a data privacy law adopted by the European Union (EU) that imposes strict requirements on personal data collection, storage, and usage. Under the GDPR, employees must consent for their employers to collect their personal data. Employers must also advise employees of how they process, store, record, gather, organize, retrieve, use, or disclose their data. Additionally, employers must advise employees of their right to update and correct their personal information.
What is Considered an Employee’s Personal Information?
Personal data under both the GDPR and CCPA/CPRA is broadly considered to be any information relating to an individual who can be directly or indirectly identified. It can include, but is not limited to, information gathered from a background check, bank account information for direct deposit, email addresses, physical addresses, and medical information. Essentially, almost any information that an employer collects about employees can be considered personal data.
Does an Employee’s Location Affect Personal Data Collection?
- Employers must comply with the GDPR for employees located in the EU, regardless of whether the employees reside in the EU or are EU citizens.
- Notably, the CPRA applies only to employees that are California residents.
If your business extends across multiple states (or countries), it is crucial to understand each jurisdiction’s employment laws and data privacy laws.
