7 Steps to Comply with California’s Employee Privacy Regulations

In today’s digital age, technology has made personal data more accessible than ever.

To reinforce this point, I just asked Siri “What is my name?” and on top of responding with my first, middle, and last, my iPhone’s AI assistant also rendered my nickname, birthday, email, and mailing address.

This brief interaction left me wondering, “How well is my personal information protected?”

As an employer, you have the ability to easily access, collect, store, and share employee information. But with it, you also have the responsibility to comply with laws regulating the privacy and protection of employee data.

So, ask yourself, “How well is your employees’ personal information protected?”

Here at Combined, our skilled HR team can help you identify and address any data management concerns you have so that you can confidently answer this question.

In this article, we will discuss what constitutes employee privacy and how it is regulated and enforced in California. By reading it, you will learn 7 steps to comply with California’s employee privacy regulations.

What is Employee Privacy?

Employee privacy rights are globally regulated – So, what do you need to know about employee privacy to make sure that your policies and procedures are compliant with applicable regulations?

How is privacy defined?

The protection of privacy is not a new concept.

In fact, the “reasonable expectation of privacy” is protected by the 4^th amendment of the United States Constitution. This definition safeguards privacy under certain conditions.

To better explain these conditions, consider this scenario:

A popular department store is busy round the clock. Even with a full staff, it is impossible to keep track of every customer that enters and leaves the building, less yet what they purchase or return. This leaves the store susceptible to theft. To prevent shoplifting, the store owner decides to install surveillance cameras. Once installed, the store has cameras placed at the entrances, exits, and in all common areas.

Is this a privacy violation? No. Because the store is a public space, the owner has the right to monitor these areas.

The owner, still concerned with shoplifting, decides to install more security cameras. In addition to the previous locations, there are now cameras in the changing rooms and restrooms.

Is this a privacy violation? Yes. Because changing rooms and restrooms are areas where it is reasonable to expect privacy, the store owner does not have the right to monitor these spaces.

In this example, it is very clear which spaces are public and which spaces are personal, making the application of privacy to these spaces cut and dried.

Because the workplace functions as both a public and a personal space, applying the definition of privacy to it is more complex.

How is employee privacy defined?

The protection of employee privacy is a relatively new and evolving concept.

The Privacy Act of 1974 extended “reasonable expectation of privacy” into the workplace by setting limits on how extensively an employer can monitor employees’ personal possessions, actions, and communications while still maintaining a safe and productive work environment.

These limits changed with the growth of technology as a resource for data management, expanding this definition of employee privacy to encompass the protection of employees’ personal information.

And from it, the regulation of employee privacy rights was set further into motion.

How is employee privacy regulated in California?

California has enacted some of the most comprehensive privacy laws in the United States – together the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) protect employee privacy.

The California Consumer Privacy Act (CCPA)

The CCPA is a privacy law that protects California consumers from misuse of personal information. It went into effect on January 1^st, 2020.

The CCPA regulates for-profit businesses that meet any of the following criteria:

• An annual global gross revenue of at least $25 million
• An annual baseline for processing personal information of at least 50,000 California residents
• An annual revenue of which at least 50% is derived from selling California residents’ personal information

Keep in mind – If a business meets any of the above thresholds, even if it is located outside of California, it is subject to regulation by the CCPA.

However, there are a few business exemptions for CCPA regulation. These exemptions are limited to non-profit businesses, government, financial, or educational institutions, and healthcare organizations under HIPAA privacy rules.

To comply with the CCPA, qualified businesses must:

• Provide consumers with notice before collecting their personal information
• Provide consumers with a written description of their rights under the CCPA annually
• Implement reasonable data security measures to protect the personal information that they collect and maintain from unauthorized access, disclosure, or theft

The CCPA qualifies employees and applicants as consumers, granting them the following privacy rights protections:

• The right to know: Consumers can request documentation outlining what personal information is being collected, how it is being used, and whether it is being shared with or sold to third parties.
• The right to delete: Consumers can request that their personal information be removed from a business’s records.
• The right to opt-out: Consumers can prevent their personal information from being shared or sold to third parties.
• The right to non-discrimination: Businesses cannot discriminate against consumers who exercise their CCPA rights.
  
  

The California Privacy Rights Act (CPRA)

The CPRA is a privacy law that expands upon the CCPA, providing California consumers with additional privacy rights. The provisions of the CPRA went into effect on January 1^st, 2023.

Note: Like the CCPA, the CPRA qualifies employees and applicants as consumers, so they are protected under its provisions.

Among these provisions is a new protected data category – sensitive personal information. Sensitive personal information refers to any data that, if disclosed or compromised, could result in harm, embarrassment, or discrimination.

Here are a few examples of information that would fall under the protection of sensitive information:

• Financial information such as credit card numbers or bank account statement
• Medical information such as health conditions, medical history, or treatments
• Biometric information such as fingerprints, DNA, or facial recognition data
• Geolocation information such as data that can identify a specific location

The CPRA added this condition, under which businesses qualify for regulation:

• The annual collection of personal data from at least 100,000 consumers or households

The CPRA also added supplemental privacy rights to those protected under the CCPA.

The new privacy rights under the CPRA include:

• The right to correct personal information: Consumers can request that businesses change inaccurate personal information records.
• The right to limit the use of sensitive personal information: Consumers can request that the disclosure of their sensitive personal information is limited to the purpose for which it was collected.

To better protect consumer data, the CPRA also requires businesses to conduct regular data protection assessments to assess the risks associated with consumer data handling.

How is employee privacy under CCPA and CPRA enforced in California?

The California Attorney General’s Office is responsible for enforcing the provisions of the CCPA and CPRA – and the penalties for noncompliance are steep.

What are the CCPA and CPRA violation penalties?

The CCPA and CPRA noncompliance penalties are designated based on the nature of the offense – a business in violation of these laws can be fined the following amounts:

• Up to $2,500 per unintentional violation
• Up to $7,500 per intentional violation

However, there is a 30-day grace period during which a business can correct any violations and avoid paying penalties.

7 steps to comply with the CCPA and CPRA employee privacy requirements

The complexity of requirements under the CCPA and CPRA can make complying with these laws difficult.

Here is a 7-step action plan that can help you meet the demands of California’s employee privacy regulations:

1. Conduct data mapping

Data mapping is the process of identifying the flow of personal data through organizational channels.

Performing this step will allow you to understand the ins and outs of how your business handles personal information – where data is collected, how it is stored, how it is used, and who has access to it.

Data mapping will allow you to develop effective and secure data management policies and, as a result, ensure compliance with employee privacy under the CCPA and CPRA.

2. Draft the required collection notices

To comply with the CCPA and CPRA, you are required to notify your employees before collecting personal information.

By creating a standardized notice template to inform your employees of data collection and their rights under the CCPA and CPRA, you can avoid violating this legal provision.

3. Prepare CCPA and CPRA-compliant policies and procedures

Employee privacy rights are clearly outlined in the provisions of the CCPA and CPRA.

All you have to do is make sure that your policies and procedures reflect these protected rights – do that, and you can cross this item off your compliance checklist.

4. Enhance digital security measures

Because the CCPA and CPRA require reasonable data security measures to protect personal information from unauthorized access, disclosure, or theft, introducing enhanced digital security like encryption into your data management protocol can help safeguard compliance.

5. Implement a mandatory data retention schedule

A data retention schedule is a policy that requires organizations to retain specific types of data for a predefined time.

With a data retention schedule in place, you can be sure that you only retain personal information for as long as necessary. By doing so, you reduce your risk of a data breach as well as that of CCPA and CPRA noncompliance.

6. Develop and negotiate CCPA and CPRA-compliant third-party agreements

Under the CCPA and CPRA, you are responsible for how third parties manage personal information shared with them.

So, it is important that you develop and negotiate contracts with any outside service providers to ensure that they are not only protecting the personal information of your employees but also complying with the CCPA and CPRA regulations.

7. Provide necessary employee training

Employees are often the first line of defense against data breaches.

Proper training can help them understand their responsibilities under the CCPA and CPRA, recognize potential risks, and respond appropriately to protect personal information.

With these 7 steps, complying with California’s employee privacy regulations is as easy as 1,2,3...4,5,6,7 – Following them can guide you toward complete CCPA and CPRA compliance.

Next steps toward complete CCPA and CPRA compliance

Do you need help complying with California’s employee privacy regulations?

If so, you have come to the right place.

Here at Combined, our HR experts are ready to help you tailor these 7 steps to your business – so you will never again have to question “How well is your employees’ personal information protected?”

Rather, you and your employees can rest assured that privacy is not a problem.

Schedule a consultation with an HR specialist to get personal help protecting personal information.

Need more information on how to comply with California's employee privacy laws? Watch the recorded webinar to learn more.

This article is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice.