The California Consumer Privacy Act of 2018 (CCPA) goes into effect on January 1, 2020 and it will rank amongst the most stringent privacy laws in the U.S. for companies that fall under its purview. The new law will provide California residents with more control over their digital information and provide significant penalties to covered companies who fail to comply.
The CCPA includes a broad definition of what constitutes “personal information.” Many other U.S. state privacy laws limit their definitions of “personal information” to certain identifiers that could be used to commit identity theft (e.g., consumer names in combination with Social Security numbers or financial account numbers). However, the CCPA mimics GDPR in applying to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Under the CCPA, California residents have a number of new rights related to their personal information. They have the right to opt out of the sale of their personal identifying information (PII). They also have the right to know what PII businesses have on them and can request deletion of PII; and the list goes on. There are also a lot of new legal obligations for businesses under the law related to how they notify individuals that information may be sold, what language must be included in a contract for services if PII is to be transferred, and so on.
The CCPA applies to California residents, not California employers. If your company collects candidate data from California residents, the regulations under the CCPA apply.
The CCPA potentially could impose substantial compliance burdens on and create significant class-action exposure for every company that employs California residents and has more than $25 million in annual gross revenues.
With regards to job applications and candidate screening, the CCPA empowers consumers to (with some exclusions):
The CCPA expands employee rights in three significant ways: (1) it requires mandatory privacy notices and disclosures about the data collected by employers and purpose for collection; (2) it provides for statutory damages ranging from $100-750 if sensitive personal information is breached; and (3) it expands the right to request access/deletion of personal information.
In addition to the disclosure notices already included in your application process and for employee data collection, as of January 1, 2020 employee privacy notices must disclose:
The term “personal information” is broad under CCPA and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” The definition goes on to identify 11 categories and data elements like “professional or employment-related information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” and “geolocation data,” to name a few. Simply put, employers must disclose all categories of personal information it collects, its purpose, and how the information will be used.
Because of the nuances of the CCPA, it is imperative to know what data your company is collecting and where it is stored, that the data must be reasonably secure in order to comply with the CCPA, and identify third parties and vendors that receive your employee or applicant data (such as payroll companies, health/benefits/wellness providers, HR consultants, staffing agencies). Once identified, employers must conduct vendor inquiries and perform due diligence about how they use, share and secure the data.
The CCPA has many similarities to the GDPR in the EU, and one of those similarities is the importance of having a dedicated resource such as a vendor partner that understands best practices and notices for data collection. Working with a background screening vendor like Cisive ensures that your company is in compliance with current legislation, as well as prepare for pending legislation and laws like the CCPA become more common throughout the U.S.
As amended by AB 1355, the CCPA exempts activities authorized by the Fair Credit Reporting Act, or FCRA. That includes background checks conducted by a consumer reporting agency conducted at the request of an employer in accordance with the FCRA. AB 1355 also simplifies CCPA’s public records exemption to cover any information that is “lawfully made available” from federal, state or local government records. In other words, the FCRA meets the same goals that California’s new law is designed to accomplish. That’s why lawmakers exempted FCRA-approved activities in AB 1355 and scrubbed any compliance responsibilities under CCPA as it relates to background checks.
Additionally, because Cisive holds certification from the Professional Background Screeners Association (PBSA), the provisions of the CCPA that apply to personal information provided for the purposes of a background check are limited to data security and protection. This means that the information we provide to you based on information collected during a background screen does not fall under the CCPA’s prohibition of the “sale” of personal information.
Cisive helps our clients when it comes to new regulations and laws that impact employers providing them unparalleled support and resources. Learn more by signing up for a demo today.
Supported By WordPress Database Support Services