How to avoid violating CCPA when sharing employee data

The contracts you have with your HR vendors could put you at risk under California’s data privacy law if they’re not structured carefully now that employee data rights are covered in much the same way as consumer data, Matthew Hays of Dykema Gossett says.

Earlier this year, extended protections in the California Consumer Privacy Act took effect, giving employees much the same rights that consumers have had since 2020 to exercise control over how companies handle personal data.

Like consumers, employees can ask what data is being held, how it’s collected and stored, what it’s being used for, how long it’s being kept, and so on. And if companies are selling their employee data, employees can ask to opt out of that.

Companies typically don’t sell their employees’ personal data to third parties, because they’re not in the business of making money from it the way they tend to be on the consumer side. But if the terms of their contracts with vendors who handle their payroll and other HR functions aren’t compliant with the law, the data that’s shared could be construed as a form of sale to those vendors, heightening compliance exposure.

“One of the cruel aspects of the CCPA is that it’s actually quite easy to accidentally share or sell that data,” Hays said in a webcast hosted by the law firm. “It sounds odd, but that is because if you disclose data to third-party vendors that … help you administer employment [functions], the CCPA is extremely specific about what those contracts have to say.”

Among other things, HR vendors must agree to meet the law’s requirements for handling employees’ personal information, which include limits on what they can use that data for, and to allow you as the employer to ensure they’re processing the data in a compliant way.

Vendors also have to agree to cooperate when employees make requests about their data.

These employee requests could be for disclosing what information their employers have on them, making changes if data is inaccurate, or deleting data if it’s not otherwise required by law to be maintained.

If the language in your contracts with these vendors doesn’t match what’s required, Hays said, then you risk having the data-sharing arrangement considered a form of sale.

“There’s no money exchanged, but there [might be] some type of consideration going back that will turn it into a sale from a mechanical standpoint,” he said.

In July, the California Attorney General’s office announced it has sent inquiry letters to large California employers seeking information about whether they are handling the personal information of employees and job applicants in compliance with CCPA.

Vendors as service providers

Large, established companies that operate in the HR space can be expected to be familiar with the CCPA contractual language and know how to handle data in a compliant way, Hays said.

One way to gauge if a third party is up to speed on what’s required is to see how it's representing itself on its vendor materials.

“There’s this magical word called a service provider,” he said. “You’ll want all your vendors to be a service provider as a kind of safe haven. If the vendor is considered a service provider, it is per se not a sale of data [if you] disclose your employee data to that vendor.”

At the least, he said, if the third party represents itself as a service provider, it shows it’s not coming at CCPA as something unfamiliar to it.

“You know this is not going to be that foreign of a concept to them and hopefully that means they’re a good vendor to work with,” he said.