By Hao Nguyen
ComplyAuto, Chief Legal Officer
The temperature is not the only thing that is rising this summer in the Golden State. California Attorney General Robert Bonta continues his crusade to champion consumer data protection and California Consumer Privacy Act (CCPA). In the Office of the Attorney General’s (OAG) first significant step since settling with Sephora to the tune of $1.2 million over violations of the CCPA last August, Bonta announced an investigative sweep to gauge covered businesses’ compliance with the CCPA (now known as the California Privacy Rights Act, or CPRA) with respect to the personal information of employees and job applicants. This investigative sweep took the form of inquiry letters the OAG sent to a large number of California employers and you can be sure that they will scrutinize any responses they receive. “The California Consumer Privacy Act is the first-in-the-nation landmark privacy law, and starting this year, the personal information of employees, job applicants, and independent contractors received greater data privacy protections because of it,” said Bonta.
The exemption that carved out employee information, job applicant information, and information gathered in business-to-business (B2B) transactions expired on January 1, 2023 and the OAG is making sure that we are all aware of that.
Types of Employee and B2B Information Subject to the CPRA
The personal information the covered business collects that is now under the purview of the CPRA is information about a job applicant, a past or current employee, including owners, directors, officers, contractors, and their beneficiaries and dependents. Additionally, personal information that is collected in the B2B context includes that of employees or business contacts that the covered business collects when it provides or receives a product or service to and from other businesses.
Application of the CPRA in this Context
All the rights that a typical consumer has under the CPRA is now imbued for those parties stated above. This includes the various requests over their personal information coupled with the covered business’s responsibility to provide a notice at collection to notify the party of, among other things, the categories of information that can be collected, shared or sold, the purpose of collecting this information, and where to go in order to exercise their rights. I would argue that the crux of the CPRA is transparency. The covered business must identify its existing practices and notify consumers of these practices accordingly.
What it Means for the Dealership
Here are a few things to consider at your dealership to ensure that your CPRA practices are buttoned up within these now non-exempt areas of the business:
- Any job posting the dealership displays both externally (and internally) should have a link to the dealer’s notice at collection that discloses practices as noted above
- Any place where you are on-boarding new hires and collecting employment information, such as an area in the business office or in HR, the new hire should have access to the notice at collection. This includes placing the link on a sign and posting it in these locations
- Privacy policies should be updated to reflect these new parties*.
*The easiest way to tell if your privacy policy is out-of-date is its latest revised date. These new exemptions sunset on January 1, 2023, so if your privacy policy shows a date before that then it is likely out of date.
Have you been contacted by the Office of the Attorney General?
Please contact us at info@complyauto.com and let us know. This information is very useful to us as we all try to navigate this new reality in California.
Questions or Comments?
Feel free to contact us. We are eager to help in any way we can.
This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it.