This One Simple Change to Your HR Vendor Contracts Can Help You Avoid Additional CCPA Burdens
Insights
9.12.23
For employers, complying with the California Consumer Privacy Act (CCPA) can be quite burdensome. So if you can identify a simple way to reduce your obligations under this law, you should typically jump at the opportunity. Here is one such opportunity – and it is as simple as updating your contracts with HR vendors.
Recent Change Leads to New Obligations
As of January 1, 2023, the CCPA’s partial exemption for personal information of employees and job applicants has expired. That means employers must now evaluate whether they are disclosing employee and job applicant data in a way that might constitute “selling” under the law. If an employer is considered to be “selling,” the business must comply with additional CCPA requirements. And an employer can avoid activities that amount to “selling” of employee and job applicant data by simply updating its contracts with HR vendors.
What is “Selling” Under the CCPA and How Employers Might be Found to be Engaging in Selling
Under the CCPA, “selling” is a specially defined term. It entails disclosing personal information to a third party for monetary or other valuable consideration.
Employers may find themselves disclosing employee and job applicant data to an HR vendor. This includes payroll, benefits, insurance, and applicant tracking vendors, among others. Without further guidance from regulators or the courts, whether these types of disclosures could constitute a “sale” in absence of updated language in the vendor contract is an open question currently.
When There is a “Sale,” What Additional Things Does an Employer Need to Do?
If an employer’s business discloses data in a way that constitutes “selling”, the company is saddled with additional obligations – some of which are burdensome. Under these obligations, the business must:
- disclose that the business engages in “selling” in the business’s notices at collection and privacy policy;
- provide employees, job applicants, and other California residents with the ability to opt out of the sale of their personal information;
- post a weblink on the homepages of the business’s website that states “Do Not Sell or Share My Personal Information,” and when website visitors click that weblink, it will enable a submission of a request to opt out of sale of the requester’s personal information;
- equip the business’s website to recognize opt out preference signals that may be sent by a website visitor’s browser or device, and treat those signals as requests to opt out of sale of the website visitor’s personal information; and
- respond to requests to opt out of sale.
How to Avoid Engaging in Selling By Amending Your Vendor Contracts
Through some simple modifications to vendor contracts, employers can convert vendors into “service providers” to avoid activities that amount to “selling.”
Under the CCPA, “service provider” is another specially defined term. “Service provider” means a business that processes personal information received from a covered business, pursuant to a written contract with specific terms required by the CCPA. In particular, the contract must state that the service provider can only use the personal information for specific business purposes and the service provider cannot sell the personal information, among other required terms.
An employer can convert an HR vendor into a “service provider” by revising its vendor contract (or implementing a new contract) that contains the terms required by the CCPA. One of the benefits of this arrangement is an employer’s disclosure of personal information to a “service provider” will not constitute a “sale.”
For many employers, they can convert all their vendors who are given access to employee and job applicant data (or data of other California residents) to “service providers.” This would ensure they steer clear of activity that amounts to “selling” and thus avoid the additional obligations.
What Should Covered Employers Do?
- If you disclose employee and job applicant data to a vendor but have not updated your contract language to make them a “service provider,” consider a contract addendum. If you have not amended your contract with HR vendors to make them your “service provider,” it is not too late! You can implement a contract addendum that contains the necessary language. If this seems overwhelming, don’t worry – Fisher Phillips can assist in preparing and negotiating these contract updates and our attorneys even have a template agreement that we can work with you to adapt to your circumstances.
- Make sure the rest of your policies are compliant. If you have not updated your policies and practices related to the CCPA or the California Privacy Rights Act – which significantly amends the CCPA – Fisher Phillips can help jumpstart your CCPA compliance project.
Conclusion
Fisher Phillips will continue to monitor CCPA obligations and enforcement efforts and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information direct to your inbox. For further information, contact your Fisher Phillips attorney, the author of this Insight, or an attorney on the firm’s Consumer Privacy Team. You can also visit our firm’s CCPA Resource Center at any time.
Related People
-
- Anthony Isola
- Partner