California has stepped up its privacy game. On November 22, 2024, the California Privacy Protection Agency (CPPA) introduced new regulations under the California Consumer Privacy Act (CCPA), and employers are in the spotlight. The sweeping changes focus on risk assessments, cybersecurity audits, and automated decision-making technology (ADMT). Employers, get ready—compliance might be your next big challenge.
Employers Face New Responsibilities Under Risk Assessment Rules
The CPPA’s proposed rules on risk assessments could profoundly reshape how employers handle HR data. These regulations require detailed assessments to gauge the risks involved in using employee data for certain purposes, particularly when using ADMT.
- What’s involved in a risk assessment? Employers must evaluate up to 30 elements to determine if the benefits of data use outweigh risks to privacy. Risks could include unauthorized access or discrimination based on protected categories.
- Documentation and submission: Risk assessments must be documented in detail, updated regularly, and submitted to the CPPA within two years of completion. Businesses must also comply with requests from the CPPA for unabridged reports within 10 business days.
Employers who fail to comply may face penalties, as these regulations aim to enhance transparency and accountability in data handling.
ADMT Regulations Raise the Stakes for Employment Decisions
Automated decision-making technology (ADMT) is another focal point of the proposed rules. Defined broadly, ADMT encompasses any technology that processes personal data to make or assist in decisions. This includes tools used for hiring, promotions, and monitoring employee performance. Employers will need to adapt to several requirements.
Key Provisions for ADMT Use
- Pre-Use Notice: Employers must notify employees and job applicants about the specific purpose of ADMT, how it works, and their rights regarding its use.
- Privacy Policy Updates: Businesses need to add ADMT-specific disclosures to their online privacy policies.
- Right to Opt-Out: California residents can opt out of ADMT uses, posing a challenge to employers relying on these tools for efficiency.
Exceptions Exist, but They’re Limited
While there are exceptions to the opt-out rule—such as ADMT used for security or hiring decisions—they come with strict conditions. For instance, employers must offer human reviews of decisions to qualify for certain exemptions. However, the narrow scope of these exceptions means many employers may still face hurdles in implementing ADMT.
Cybersecurity Audits: A Roadmap for Better Data Security
Cybersecurity audits are another pillar of the new regulations, but they primarily target large-scale data processors. That said, employers can glean valuable insights into the CPPA’s expectations for reasonable data security measures.
What’s Required?
- Annual audits by independent experts: These audits must cover specific areas, including data encryption, cybersecurity training, and access controls.
- Senior leadership involvement: High-ranking executives or board members must certify and submit the audit results to the CPPA.
Although smaller employers may not need to conduct these audits, adhering to similar practices could help avoid potential liability for data breaches.
Timeline for Implementation and Public Feedback
The CPPA has until November 22, 2025, to submit these regulations for final approval. In the meantime, public comments are open until January 14, 2025. This timeline gives businesses some room to prepare but underscores the importance of proactive measures.
Table: Key Deadlines and Requirements for Employers
| Requirement | Action Needed | Deadline |
|---|---|---|
| Risk Assessment | Conduct and document detailed risk assessments | Ongoing; updates every 3 years |
| ADMT Pre-Use Notice & Privacy Policy | Provide disclosures and update policies | Before ADMT implementation |
| Cybersecurity Audit (if applicable) | Conduct annual audits and certify compliance | Annual submission |
| Public Comments on Regulations | Submit feedback on proposed rules | January 14, 2025 |
Changes to Existing Regulations Add to the Compliance Puzzle
Beyond the new rules, the proposed changes revise existing regulations. For instance, employers rejecting a request to exercise data rights must now inform the individual of their right to file complaints with the CPPA or California attorney general, including links to their websites. Vendor contracts also need updates to ensure compliance with new rules.
What This Means for Employers
These proposed changes mark a significant shift in privacy compliance for employers. The heightened focus on ADMT and risk assessments could impact HR practices, requiring greater transparency and procedural safeguards. As businesses grapple with these new rules, the cost of compliance will likely rise, but so will the importance of protecting employee data.
