KEEP AN EYE OUT: NEW DATA PRIVACY RULES

The news that California regulators can immediately begin enforcing new data privacy regulations will have an outsized impact on the PEO community. A surprise February 9 decision from a state appeals court pressed fast-forward on California Consumer Privacy Act (CCPA) compliance that most employers thought wouldn’t hit home until late March. As you’re reading this, prying eyes and website trolls are scouring the internet looking to take advantage of this new opportunity – and employees may become aware of their new rights and jolt you into this new era of exposure. Read on for a quick summary of what went down, why this news is particularly important to PEOs – and what you can do to protect your organization.

WHAT WENT DOWN

• New CCPA regulations took effect in March 2023 that provide consumers additional data privacy rights – and in California, this also includes a PEO’s worksite employees. Along with these additional rights come additional obligations on businesses, including PEOs.
• Just because your business is not located in California doesn’t mean you can ignore the CCPA. You could be a covered business if you have one client in California and collect personal information from even a single California worksite employee.
• Regulators built in a grace period to start enforcing them until July 1, 2023.
• On the eve of that date, a California court delayed enforcement and concluded they could not be enforced until March 29, 2024.
• The California Privacy Protection Agency and the California Attorney General appealed the decision.
• On February 9, an appellate court determined that the Agency and the AG have authority to immediately enforce the regulations and don’t have to wait until late March month to begin enforcement.

WHY PEOS ARE IN THE CROSSHAIRS

To be perfectly blunt, your average employer doesn’t have to worry about immediate enforcement of the new regulations. That’s because most employers are (relatively) small enough to fly under the radar of state regulators. They just don’t have the resources to scour the state (and country) looking for violators, so their focus will likely be on larger businesses.

But PEOs? That’s a different story. PEOs are not “most” employers. The nature of your operations means you support many different small businesses and have more worksite employees as your “consumers.” If you support 1,000 businesses, for example, each with somewhere between 30 and 100 employees, you now have tens of thousands of people under your portfolio. And that is bound to catch the attention of data privacy regulators – even if you are a local or regional PEO.

Put simply, the sheer number of worksite employees involved with the average PEO puts you at higher risk than most employers.

WHAT SHOULD YOU DO?

Fisher Phillips has created a seven-step compliance plan to help covered businesses prepare for this new era of enforcement and exposure. You can access that plan here. The best place to start is a gap assessment of your data privacy practices, which can be completed in one day by our consulting subsidiary fpSOLUTIONS, among other Data Privacy Compliance services.

But The Key Step For PEOs? Immediately Implement A Worksite Employee Privacy Policy.

• The new regulations require businesses to make available to worksite employees a privacy policy that, among other things, informs them about how they can exercise their new CCPA rights.
• They also require you to list each category of personal information and sensitive information collected, the purpose for each category, any category that is sold or shared, and the retention period for each category of personal information.
• The policy must be simple and easy to understand with minimal to no “legalese.” It must be made available in other languages if you already provide worksite employees with legal notices in another language.

Since you are likely to be scrutinized by a regulator or opportunistic plaintiffs’ attorney at some point given your status as a PEO, you need to pay particular attention to the content of your privacy policy. The time is now to update your privacy policy. This means you need to do much work to put yourself in the best position to succeed.

The bottom line – if you have not updated your CCPA notices since 2022 or earlier – or if you have never provided such notices – you should act quickly to implement new notices and stay compliant with the ever-changing law.

This article is designed to give general and timely information about the subjects covered. It is not intended as legal advice or assistance with individual problems. Readers should consult competent counsel of their own choosing about how the matters relate to their own affairs.