What you need to know about the new CCPA employee data amendments
While California’s Consumer Privacy Act (CCPA) has been in effect for three years, the passage of the California Privacy Rights Act (CPRA) which amended the CCPA, ushered in significant changes to the CCPA, effective January 1, 2023. Companies with workers who are California residents are now required to extend personal information privacy rights to their workers – both past and present – including officers, contractors, medical staff, directors and job applicants.
In this article, we discuss what the CPRA changes mean for your business; how it affects you as a Workday customer and how you can ensure compliance with Kainos Smart Shield.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act of 2018 gives consumers more control over the personal information that businesses collect about them. The CCPA provides consumers with certain rights regarding their personal information, including:
- The right to delete personal information collected from them;
- The right to know what personal information a business has collected about them and how it is used and shared;
- The right to opt-out of the sale and sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
What changes have been made by the new CPRA amendment?
The California Privacy Protection Agency (CPPA), is a governing administrative agency (Data Privacy Authority) that will operate as a watchdog to protect consumer privacy. This agency will vigorously enforce the law against businesses that violate consumers’ privacy rights.
The new CPRA amendment now protects employee’s personal information and specifies that a notice must be provided to employees by employers, at or before the point of the collection of their personal information. This notice must include a list of the personal information that will be collected and the commercial or business purpose for the collection of the data. Employers should also provide their employees with a copy of, or a relevant link to, the employer’s privacy policy.
How does the CPRA amendment impact employee data?
This change dramatically expands worker privacy rights and increases the obligations of companies with California workers. Employees have a right to:
- Correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
What types of personal information are protected by the new CPRA amendment?
- Personal information is classified as any information which identifies, relates to, or could be reasonably linked to a consumer or their household. This includes the individual’s full name, social security number, email address and even goes as far as their internet browsing history, geolocation and biometrics.
- Personal information of California job applicants, employees, owners, directors, officers, and medical staff members, collected and used by businesses in the context of an individual’s role, for emergency contact information, or to provide benefits.
- Personal information reflecting a written or verbal communication or transaction between a covered business and an employee, owner, director, officer, or independent contractor, of another business, which occurs within the context of conducting due diligence or providing or receiving a product or service.
What businesses must honour worker data privacy rights?
As of January 1, 2023, the CCPA applies to for-profit businesses that do business in California, collects and determines the purpose and means of processing workers’ personal information and meets one of the following thresholds:
- Have a gross annual revenue of over $25 million;
- Buy, sell, or share the personal information of more than 100,000 California residents or households; or
- Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
What happens to a business if they don’t comply?
- If you do not comply with the CPRA, your organization could be subject to fines of $2,000 per violation, $2,500 for negligent violations and $7,500 for wilful violations.
- Companies have 30 days once regulators have notified them to comply with the law.
- Employees have the right to sue their employers under the latest CCPA amendment if certain conditions are met. If the business fails to protect certain types of personally identifiable information which include an employee's first name (or first initial) and last name in combination with any of the following: social security number, driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity. Other information includes financial and/or medical details.
How can businesses prepare to comply?
There are several steps businesses can take to comply with the new regulations:
- A business can conduct an inventory of what information they hold on their employees and where it is stored. It is particularly important to identify any personal information which is considered sensitive.
- Assess how that sensitive data is protected, who has access to it and what are those access controls.
- Limit access to valid users, maintain tight controls over your contractors, and put in data masking options based on rulesets.
- An important part of the process is evaluating the sufficiency of security procedures and internal controls currently in place over employee data. Workday’s security framework and audit capabilities support effective data privacy controls. But HR organizations must be intentional about how their internal controls leverage Workday capabilities.
How can Smart Shield help?
The easiest approach to data protection is preventing improper access. If your business is giving unrestricted access to third parties and elevated access to testers and trainers, you are at risk of exposing personal identifiable employee data which can lead to misuse and a privacy breach, resulting in serious fines and reputational damage to your company.
Smart Shield is the only data masking tool in Workday that can comprehensively protect your employee’s sensitive data and do this for everyone across your non-production tenants. It has been designed to provide a complete masking solution for non-production tenants. Data masking obfuscates Workday fields based on defined rule sets which allow organizations to control what information users can and cannot see. It has been designed to meet the specific needs of different departments and functions including finance, HR, audit, IT and third-party Workday Services partners.