What are the most important aspects of the CCPA for recruiters and talent acquisition teams?
On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect, and, like similar data protection laws including the EU’s General Data Protection Regulation (GDPR), the CCPA is intended to give consumers more say over how companies collect their data online and how they use it.
Although the text of the CCPA uses the term “consumers”, the scope of the CCPA is actually far broader than applying just to traditional consumers, as explained below. In addition, the CCPA specifically affects companies doing any business in California (including online) and dealing with California residents (which includes job applicants, prospective talent as well as talent acquisition teams within those organizations). Some of you may have heard or read that the CCPA does not apply to data relating to employees and applicants due to a recent amendment to the CCPA (AB 25), however we will explain below that certain CCPA obligations remain applicable.
What is the CCPA?
Global and local regulation around the handling of personal data is a thorny issue taking up more and more time for international enterprises. The CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.
Who does the law apply to?
The CCPA applies to businesses — meaning an entity that does business in the State of California (defined very broadly), collects personal information (or on behalf of which such information is collected), and that meets one of the following three thresholds:
I. Annual gross revenue in excess of $25 million,II. Purchases, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, orIII. Derives 50% of annual revenue from selling consumer personal information
Personal information is defined as information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household”.
How does Talent Acquisition fit within the above test?
The CCPA covers "collected information" which is defined as buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from a consumer, either actively or passively, or by observing the consumer’s behavior.
In the case of talent acquisition teams, the consumer is the candidate and this applies to all personal candidate information collected by the above means.
Who does the law protect?
The CCPA protects consumers, but rather than this term meaning individuals purchasing goods or services for their personal, family, or household use, the text of the CCPA expressly states that the term is actually used to refer to any individual who is a California resident.
Key Consumer Rights
The CCPA has inherited a number of the key protections found in other data protection regimes globally. Under the CCPA, consumers have certain rights, such as:
Wait, does the CCPA apply to employee data today? What about the CCPA amendment (AB 25)?
There has been a lot of confusion regarding the application of the CCPA to personal information relating to employees and applicants.
In October 2019, AB 25 was passed by the California legislature to amend the CCPA and provides an exemption, until January 1, 2021, for information collected by a business relating to an individual "acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business".
This means that while data relating to employees and job applicants are temporarily excluded from most of the CCPA’s protections, this does not mean that the CCPA would not be applicable in relation to such data until 2021.
In fact, the exemption under AB 25 does not cover two areas of compliance:
(i) pursuant to the CCPA, a business is still expected to provide employees or job applicants with a notice at the time of the data collection, and
(ii) a business is also required to maintain reasonable safeguards for the protection of personal information held by the business, since individuals affected by a data breach are allowed under the CCPA to initiate a private right of action against the business due to the breach.
What does this mean for talent acquisition teams?
With the evolution of data privacy law, including the introduction of the GDPR and CCPA in recent years, as well as legislation on the horizon in other jurisdictions, recruiting teams are now being forced to face the facts that data privacy must become a core tenet in their recruiting process.
One of the ways recruiting teams can ensure they are compliant with data privacy law and regulations is to upgrade their technology stack by implementing tools like recruitment CRM and marketing platforms.
These systems allow recruiting teams to manage candidate data in a compliant fashion and ensure they don’t fall afoul of new legislative and regulatory requirements as they are introduced.
At Beamery, we help our clients ensure compliance with their processes, and support them to achieve the best possible candidate experience. We hope that sharing the advice we give to our clients will help you navigate this new legislation.
If you have any questions about how our talent operating system can help you work to achieve compliance with changing data privacy requirements, please reach out to our sales team. However, please keep the following caveat in mind: Beamery is not a provider of legal advice and the contents of this note should not be taken as advice of any sort. All readers are strongly encouraged to seek their own advice in connection to the subject matter.