CPRA tips

November 30, 2022

Your questions answered: HR & B2B data under CPRA


With new CCPA requirements coming into effect January 1, 2023, businesses are anxious to prepare for the changes. To help you get ready, we hosted an IAPP webinar on How to align your HR and B2B teams for the 2023 CPRA changes. Three veteran privacy professionals had plenty to say about how to approach the necessary changes across teams, because it'll take some cross-functional collaboration to get it done. Below are insights from Robin Andruss, CPO at Skyflow, Kimberly Lancaster Senior Privacy Manager at Marqeta, and David Stauss, Attorney at Husch Blackwell.

What changes on January 1, 2023?

Most organizations' anxiety on CPRA's looming implementation reacts to new requirements on employee data and B2B data. CCPA was originally drafted as a consumer protection law, and excluded B2B and employee data from DSARs. In the lead up to the CPRA, lobbyists pled for an extension on those exemptions, but failed to get it done in the end.

That means that starting Jan. 1, California privacy law will no longer distinguish between consumer and business data sets. Organizations will now need to offer data subject rights to not just California'-based consumers, but also their employees and business-to-business relationships.

Additionally, on Jan. 1, the right to cure goes bye-bye. Businesses will no longer have a courtesy window to correct CCPA violations before facing an enforcement action.

Takeaway: Starting January 1st, employee and B2B data are covered by the CCPA, and businesses lose the right to cure.

How should I prepare for the CPRA?

Use the previous preparation you’ve done for the GDPR and CCPA as a base to work off of. You may already have procedures in place for handling data requests or documentation that you can expand on.

Document your data flows. You need to understand where your data is, how it’s being processed, where it’s stored, and who has access to it. You also need to document your data owners within the organization. It's essential that you develop a relationship with HR, if you don't already have one, because you'll need a plan on how to react when employees file a DSAR. The response will likely require insights from both teams on how to process, how to validate, and how to respond to requests.

Takeaway: Document data flows and ownership across your organization. Update employee privacy notices and practices.

Which teams should work together for CPRA compliance on HR and B2B data?

Which teams collaborate on CPRA compliance will vary depending on your organization, your line of business, and how much infrastructure you have in place already as a result of any previous work on GDPR or CCPA. Larger companies might need to build a privacy working group across multiple departments. Other companies may just need a few privacy champions in HR, marketing, and sales.

Wherever you are in your compliance efforts, you need to sit down with HR and recruiting, and be available for employees who have questions. If you’re a B2B company, you also need to work with the people who use your HR and B2B data, such as marketing and sales operations.

Takeaway: Work with anyone who uses HR and B2B data in your organization.

How should I prioritize employee DSARs?

Consider how many Californian employees you have. If you’ve got 5,000 employees from California, you should assume a DSAR is heading your way sooner than later, and you've got to have a process for fulfilling it. If you only have 5 California-based employees, you can probably wait on the DSAR process until you get an actual request. Either way, you should update your employee notices

Takeaway: Update employee notices. Prioritize DSARs based on how many Californians work for your company.

Are CCPA employee and B2B DSAR obligations different than under the GDPR?

There are a number of differences between GDPR and CCPA DSARs, but you should be able to create DSARs that satisfy both.

  • When you receive a DSAR from California, you must acknowledge receipt within 10 days. The EU has no acknowledgement requirement.
  • You must fulfill a CPRA DSAR within 45 days. For the GDPR, you must fulfill the DSAR within 30 days.
  • California has a more prescriptive verification process for DSARs, while the EU is more flexible.
  • California has existing laws such as the California labor code, which governs topics like obtaining documents that you’ve signed and payroll records.

Takeaway: the CCPA and the GDPR have different notification requirements, fulfillment windows, and verification requirements.

How can I make gains toward CPRA compliance?

Start by accounting for all your data. List your applications, such as HR, payroll, and internal comms. Add storage solutions as well, such as Google Drive, OneDrive, and Box. For each application and storage solution, list:

  • What type of data it contains.
  • Who has access to each data type.
  • Where that data flows to.
  • What data lifecycle practices you apply to the data.

Once you understand your data landscape, it will be much easier to prepare for DSARs and other CPRA requirements.

Takeaway: Inventory all your applications and storage solutions, and how they use data.

What are the litigation risks of CCPA DSARs?

The CCPA changes are likely to affect the discovery process. If an employee, ex-employee, or unsuccessful job seeker wants to sue a company, they’re likely to use a DSAR to see what information the company has on them. That gives them free discovery before initiating a lawsuit.

Unfortunately, the CCPA doesn’t differentiate between handling a DSAR from a disgruntled ex-employee and a regular member of the public. However, companies have an interest in treating legal responses differently than standard DSAR requests. How this all plays out in the courts remains to be seen.

Takeaway: Parties interested in suing will likely use DSARs to discover what information a company has on them before filing a lawsuit.

For more CCPA compliance tips, check out the full webinar on How to Align your HR and B2B teams for the 2023 CCPA changes.

How do we comply by Jan. 1 if the California Privacy Protection Agency hasn’t issued final regulations?

The CPRA established the CPPA and required the new agency to finalize rules by July 1, 2022. This would have given businesses 6 months to prepare for the Jan. 1 deadline.

In reality, the law didn’t leave nearly enough time. Right now, it looks like CPPA rules will be completed somewhere around mid to late January — more than 6 months late, and several weeks after the new rules were set to go into effect. While actual enforcement doesn’t begin until July 1, businesses are still required to meet the new rules at the beginning of January.

Fortunately, the regulations have been modified to account for the delay. The CPPA may now take into account the delay when it considers enforcement actions. Exactly what this means is still up in the air; the law doesn’t specify exactly how lenient the agency should be in compliance enforcement.

Do we now have to keep records of HR requests?

Yes. The updated version of the CCPA requires you to keep a log of all data requests, including HR requests.

Are ROPAs required for CCPA compliance?

Article 30 of the GDPR requires organizations with at least 250 employees to maintain a record of processing activities. This record must identify and supply contact information for the controller, and explain the categories of data subjects, personal data, data recipients, as well as any countries where the data will be transferred.

The CCPA does not explicitly require ROPAs. However in practice, they’re essential for compliance. To comply with CCPA regulations like data requests, notification, and opt-out/opt-in requirements, you need to know what personal information your company collects, what you do with it, where you store it, and who you share it with — essentially the same information that goes into a ROPA.

ROPAs are also essential from an operational standpoint because they let your team quickly understand how they’re processing data. And as new laws place additional requirements like privacy by design, ROPAs will become even more important.

Check out our blog on managing DSARs for more information.

What are the best practices to verify employee identity for DSARs?

You need to be able to verify the identity of anyone submitting a DSAR, but the law doesn’t require you to have the same DSAR process for everyone. What’s important is that your DSAR can verify the subject’s identity correctly, and that you leave a record to demonstrate your compliance.

If your company already has a secure system to authenticate employees, you can use that to authenticate DSARs. For example, if you use two-factor authentication to control access to an internal internet, you could use that system to verify employee identity for DSAR requests.

Is there any legal requirement that employee requests be processed by your privacy team, or can each organization determine which department handles the requests?

There's nothing in the CCPA that says your privacy team must handle employee requests. As long as you designate and train someone to handle employee DSARs, you’re compliant.

For remote businesses with few California employees, can we ask in response to requests whether the requester resides in California?

Yes. The CCPA only covers California residents. You can confirm whether a requester resides in California, and decline to answer requests from non-residents.

We currently have a process to handle HR requests. Do we now have to keep records of those requests?

Yes. You need an audit trail to show you’re honoring employee requests. If an auditor asks, you should be able to show a copy of the request with the name redacted, along with a redacted copy of the personal data.

Can you clarify the CPRA’s applicability to nonprofits?

Nonprofits are exempt from the CCPA. However, third-parties that provide marketing or consumer data to nonprofits are covered. You should still disclose how you use data and give consumers a way to opt out of targeted ads and marketing, and ensure that any data partners you work with are in compliance with the law.

What does the right to access personal information include and exclude?

Under the CCPA, Californians have the right to a copy of “the specific pieces of personal information” that a company has collected about them. However, that wording leaves a lot of ambiguity.

For example, let’s say a job applicant introduces themselves in an email, and shares information like their age, address, and work experience. If that subject submits a DSAR later on, do you need to supply the email itself, or just the name, address, and other relevant information?

The short answer is: We don’t know for sure, yet. We know you don’t have to go back years — the law’s look-back provision only requires businesses to track how they’ve used, collected, and shared personal data since January 1, 2022. But it’s up to the CPPA and the courts to determine whether the law covers just the data itself, or every email, message, and form using any piece of the data.

Does employee data include applicants that were not hired?

The CCPA covers any personal information on California residents, whether they’re employees, applicants, customers, or business contacts. When you collect data, you need to provide a privacy notice. That means both job applicants and new employees need to be told what data you’re collecting, and how you intend to use, share, disclose, and delete it.

However, the way you structure your privacy notices is up to you. Companies can use one privacy policy for applicants and another for new hires. However, the more privacy policies you have, the more difficult they are to maintain. For most organizations, a better approach is to use a single privacy policy for the entire hiring process, explaining your data practices from your first contact, through the interview and hiring process.

To learn more about getting HR and B2B ready for the new CCPA rules, watch our free webinar.