With new CCPA requirements coming into effect January 1, 2023, businesses are anxious to prepare for the changes. To help you get ready, we hosted an IAPP webinar on How to align your HR and B2B teams for the 2023 CPRA changes. Three veteran privacy professionals had plenty to say about how to approach the necessary changes across teams, because it'll take some cross-functional collaboration to get it done. Below are insights from Robin Andruss, CPO at Skyflow, Kimberly Lancaster Senior Privacy Manager at Marqeta, and David Stauss, Attorney at Husch Blackwell.
What changes on January 1, 2023?
Most organizations' anxiety on CPRA's looming implementation reacts to new requirements on employee data and B2B data. CCPA was originally drafted as a consumer protection law, and excluded B2B and employee data from DSARs. In the lead up to the CPRA, lobbyists pled for an extension on those exemptions, but failed to get it done in the end.
That means that starting Jan. 1, California privacy law will no longer distinguish between consumer and business data sets. Organizations will now need to offer data subject rights to not just California'-based consumers, but also their employees and business-to-business relationships.
Additionally, on Jan. 1, the right to cure goes bye-bye. Businesses will no longer have a courtesy window to correct CCPA violations before facing an enforcement action.
Takeaway: Starting January 1st, employee and B2B data are covered by the CCPA, and businesses lose the right to cure.
How should I prepare for the CPRA?
Use the previous preparation you’ve done for the GDPR and CCPA as a base to work off of. You may already have procedures in place for handling data requests or documentation that you can expand on.
Document your data flows. You need to understand where your data is, how it’s being processed, where it’s stored, and who has access to it. You also need to document your data owners within the organization. It's essential that you develop a relationship with HR, if you don't already have one, because you'll need a plan on how to react when employees file a DSAR. The response will likely require insights from both teams on how to process, how to validate, and how to respond to requests.
Takeaway: Document data flows and ownership across your organization. Update employee privacy notices and practices.
Which teams should work together for CPRA compliance on HR and B2B data?
Which teams collaborate on CPRA compliance will vary depending on your organization, your line of business, and how much infrastructure you have in place already as a result of any previous work on GDPR or CCPA. Larger companies might need to build a privacy working group across multiple departments. Other companies may just need a few privacy champions in HR, marketing, and sales.
Wherever you are in your compliance efforts, you need to sit down with HR and recruiting, and be available for employees who have questions. If you’re a B2B company, you also need to work with the people who use your HR and B2B data, such as marketing and sales operations.
Takeaway: Work with anyone who uses HR and B2B data in your organization.
How should I prioritize employee DSARs?
Consider how many Californian employees you have. If you’ve got 5,000 employees from California, you should assume a DSAR is heading your way sooner than later, and you've got to have a process for fulfilling it. If you only have 5 California-based employees, you can probably wait on the DSAR process until you get an actual request. Either way, you should update your employee notices
Takeaway: Update employee notices. Prioritize DSARs based on how many Californians work for your company.
Are CCPA employee and B2B DSAR obligations different than under the GDPR?
There are a number of differences between GDPR and CCPA DSARs, but you should be able to create DSARs that satisfy both.
- When you receive a DSAR from California, you must acknowledge receipt within 10 days. The EU has no acknowledgement requirement.
- You must fulfill a CPRA DSAR within 45 days. For the GDPR, you must fulfill the DSAR within 30 days.
- California has a more prescriptive verification process for DSARs, while the EU is more flexible.
- California has existing laws such as the California labor code, which governs topics like obtaining documents that you’ve signed and payroll records. T.
Takeaway: the CCPA and the GDPR have different notification requirements, fulfillment windows, and verification requirements.
How can I make gains toward CPRA compliance?
Start by accounting for all your data. List your applications, such as HR, payroll, and internal comms. Add storage solutions as well, such as Google Drive, OneDrive, and Box. For each application and storage solution, list:
- What type of data it contains.
- Who has access to each data type.
- Where that data flows to.
- What data lifecycle practices you apply to the data.
Once you understand your data landscape, it will be much easier to prepare for DSARs and other CPRA requirements.
Takeaway: Inventory all your applications and storage solutions, and how they use data.
What are the litigation risks of CCPA DSARs?
The CCPA changes are likely to affect the discovery process. If an employee, ex-employee, or unsuccessful job seeker wants to sue a company, they’re likely to use a DSAR to see what information the company has on them. That gives them free discovery before initiating a lawsuit.
Unfortunately, the CCPA doesn’t differentiate between handling a DSAR from a disgruntled ex-employee and a regular member of the public. However, companies have an interest in treating legal responses differently than standard DSAR requests. How this all plays out in the courts remains to be seen.
Takeaway: Parties interested in suing will likely use DSARs to discover what information a company has on them before filing a lawsuit.
For more CCPA compliance tips, check out the full webinar on How to Align your HR and B2B teams for the 2023 CCPA changes.