KEEP AN EYE OUT: NEW DATA PRIVACY RULES

BY John Polson, Esq.

Chairman & Managing Partner
Fisher Phillips

BY Usama Kahf, Esq.

Partner
Fisher Phillips

April 2024

The news that California regulators can immediately begin enforcing new data privacy regulations will have an outsized impact on the PEO community. A surprise February 9 decision from a state appeals court pressed fast-forward on California Consumer Privacy Act (CCPA) compliance that most employers thought wouldn’t hit home until late March. As you’re reading this, prying eyes and website trolls are scouring the internet looking to take advantage of this new opportunity – and employees may become aware of their new rights and jolt you into this new era of exposure. Read on for a quick summary of what went down, why this news is particularly important to PEOs – and what you can do to protect your organization.

WHAT WENT DOWN

  • New CCPA regulations took effect in March 2023 that provide consumers additional data privacy rights – and in California, this also includes a PEO’s worksite employees. Along with these additional rights come additional obligations on businesses, including PEOs.
  • Just because your business is not located in California doesn’t mean you can ignore the CCPA. You could be a covered business if you have one client in California and collect personal information from even a single California worksite employee.
  • Regulators built in a grace period to start enforcing them until July 1, 2023.
  • On the eve of that date, a California court delayed enforcement and concluded they could not be enforced until March 29, 2024.
  • The California Privacy Protection Agency and the California Attorney General appealed the decision.
  • On February 9, an appellate court determined that the Agency and the AG have authority to immediately enforce the regulations and don’t have to wait until late March month to begin enforcement.

WHY PEOS ARE IN THE CROSSHAIRS

To be perfectly blunt, your average employer doesn’t have to worry about immediate enforcement of the new regulations. That’s because most employers are (relatively) small enough to fly under the radar of state regulators. They just don’t have the resources to scour the state (and country) looking for violators, so their focus will likely be on larger businesses.

But PEOs? That’s a different story. PEOs are not “most” employers. The nature of your operations means you support many different small businesses and have more worksite employees as your “consumers.” If you support 1,000 businesses, for example, each with somewhere between 30 and 100 employees, you now have tens of thousands of people under your portfolio. And that is bound to catch the attention of data privacy regulators – even if you are a local or regional PEO.

Put simply, the sheer number of worksite employees involved with the average PEO puts you at higher risk than most employers.

WHAT SHOULD YOU DO?

Fisher Phillips has created a seven-step compliance plan to help covered businesses prepare for this new era of enforcement and exposure. You can access that plan here. The best place to start is a gap assessment of your data privacy practices, which can be completed in one day by our consulting subsidiary fpSOLUTIONS, among other Data Privacy Compliance services.

But The Key Step For PEOs? Immediately Implement A Worksite Employee Privacy Policy.

  • The new regulations require businesses to make available to worksite employees a privacy policy that, among other things, informs them about how they can exercise their new CCPA rights.
  • They also require you to list each category of personal information and sensitive information collected, the purpose for each category, any category that is sold or shared, and the retention period for each category of personal information.
  • The policy must be simple and easy to understand with minimal to no “legalese.” It must be made available in other languages if you already provide worksite employees with legal notices in another language.

Since you are likely to be scrutinized by a regulator or opportunistic plaintiffs’ attorney at some point given your status as a PEO, you need to pay particular attention to the content of your privacy policy. The time is now to update your privacy policy. This means you need to do much work to put yourself in the best position to succeed.

The bottom line – if you have not updated your CCPA notices since 2022 or earlier – or if you have never provided such notices – you should act quickly to implement new notices and stay compliant with the ever-changing law.

 

This article is designed to give general and timely information about the subjects covered. It is not intended as legal advice or assistance with individual problems. Readers should consult competent counsel of their own choosing about how the matters relate to their own affairs.

SHARE


RELATED ARTICLES

LEGAL - LEGISLATIVE

MEET CONGRESSWOMAN ERIN HOUCHIN

Voters in Indiana’s 9th Congressional district elected Congresswoman Erin Houchin to serve in the United States House of Representatives in November 2022. In doing so, Rep. Houchin became the first woman elected to Congress from her district. She also holds the distinction of being the only person elected to Congress who has worked for a PEO.Rep. Houchin spoke to PEO Insider about her decision to seek public office, her experience working for a PEO, and the policies she champions.

BY

May 2023

2023 DIGITAL TRENDS

Lorem ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into …

BY James Joyce

June/July 2023
CYBERSECURITY - TECHNOLOGY

AI IN CYBERSECURITY: THE GOOD, THE BAD AND BEING ON THE PRECIPICE OF A NEW ERA IN TECHNOLOGY

As you might expect with cybersecurity, battlelines are being drawn between the people creating AI solutions to help protect companies and the people making AI software that is designed to find vulnerabilities in areas designed to protect data; systems; financial and personal information; intellectual property (IP); and Industrial Internet of Things (IIoT) and other IoT devices.

BY Dwayne Smith

September 2023
LEGAL - LEGISLATIVE

NAPEO ADVOCACY DAY IS A HOME RUN

There's an energy around the PEO industry this year that's palpable. Nowhere is that more true than in Washington DC, where we are starting to make our mark as a strong contributor to the vitality and success of the backbone of the economy: small and mid-size businesses. We've got a great story to tell. Help us tell it.

BY THOM STOHLER

August 2023

ADVERTISEMENT

Ad for Sentara Health Plans