As the California legislature comes to a close today, Aug 31^st, unfortunately employers will be on the hook to comply with the employment elements of CPRA as no agreement was reached to extend the employment exemption and none is forthcoming. With just over four months until CPRA goes into effect, it underscores the compliance efforts companies need to start sooner than later to encapsulate human resource-related systems in your privacy program, heavily dependent on an accurate data map and the acceptance of data requests.

Exemption Background

CCPA incorporated an important exemption for employment data and “business to business” data, meaning the CCPA rights did not apply to PII gathered from or about employees, job applicants, and independent contractors. That exemption was not intended to be permanent and initially had a sunset date of January 1, 2020 which was then extended to January 1, 2021.

When CPRA was introduced to California voters, it extended the exemption another two years to January 1, 2023. During legislation this year there were multiple attempts at extending the exemption even further, but with the session closing today that effort was futile. Come January 1, 2023, current and former employees, job candidates, and independent contractors who are natural persons and residents of California will be subject to the entire range of rights and obligations under the CCPA/CPRA, after several years and despite legislative attempts to delay.

Your Next Steps

• Companies should be preparing a comprehensive data map to evaluate data inventory for employee and job applicant PII. This extends into unstructured data, often for the first time, as new data sources come in scope.
• Evaluate your privacy practices including data retention driven by minimization and privacy policies that need to reflect your compliance with the upcoming regulations.
• Prepare to accept data requests from employees and job applicants that follow CPRA guidelines. Best practice is for this to be a segregated process from consumer requests, specific to the applicable audience.
  • Remember employees and former employees have detailed information on what PII you’ve collected. Former employees’ requests, in particular, are often pre-litigatory and thus warrant special attention. What we’ve seen under GDPR is that this is a group that doesn’t generate a high volume of requests, but rather a steady flow.

For Truyo customers this won’t be a difficult feat to achieve. Our comprehensive data mapping will show you exactly where you store employee PII in connected systems to inform your data minimization strategies and provides you with web-based impact assessments also required by law. We will also be releasing a free privacy policy generator to assist you in updating your consumer and employee-facing policies. Register to get first access when we release our truly free Privacy Policy Generator. The new Privacy Policy Generator Tool will be released on September 13th in conjunction with our privacy webinar series. And of course, our tool will aid you in accepting requests in compliance with CPRA.

Please reach out to your Truyo Account Manager or support@truyo.com if you need to discuss implementing any of these features. If you aren’t a current Truyo customer, use this link to schedule a live demo of our product where we’ll walk you through each of these tools that help our customers achieve regulatory compliance.