California Consumer Privacy Act (CCPA) overview

The California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020. The CCPA was subsequently amended by the California Privacy Rights Act of 2020, often referred to as the CPRA.

The CCPA imposes several obligations on businesses that collect personal information from California consumers, and generally expands the rights of California consumers to include the right to (a) access their personal information; (b) request that their personal information be deleted; (c) to get information about the collection, sales, and disclosure of their personal information; and (d) to opt out of the sale of their personal information.

As of January 1, 2023, the CCPA applies to the personal information of a business’s California employees and job applicants.

“Personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” The term “consumer” is defined more broadly in the CCPA than it is normally used in everyday parlance and includes not only a business’ individual customers, but also its employees and job applicants who are California residents, which is where Greenhouse comes in.


Does my company have to comply with the CCPA?

The CCPA applies to any “business,” which is a term of art under the CCPA that refers specifically to a for-profit company that (a) collects personal information (“PI”) of consumers; (b) determines the purposes and means of processing of the PI; (c) does business in California; and (d) meets one of the three additional criteria: (i) has annual gross revenues greater than $25 million, (ii) collects or shares PI from at least 50,000 California residents per year for commercial purposes, or (iii) derives at least 50% of its annual revenue from selling California consumers’ PI.

Obviously, Greenhouse cannot decide whether its customers are obligated to comply with the CCPA, as we have thousands of customers and it is a fact-specific determination. If you haven’t already, we encourage you to consult with your company’s own data privacy counsel in order to decide how your organization can best proceed under the law.

If the CCPA applies to my company, what are our obligations with respect to the data we collect to recruit and/or onboard our employees?

As of January 1, 2023, the aspects of the CCPA that currently apply to employee and applicant data include:

1) Businesses are required to provide employees and job applicants with a CCPA notice (see Section 100(b)) at the point that their personal information is collected that includes:

  • (a) The categories of personal information being collected; and
  • (b) The purposes for which each category of personal information will be used

2) A business’s employees and applicants are entitled to:

  • (a) Know what personal information the business has collected about them;
  • (b) Request that a business correct inaccurate information about them;
  • (c) Request that a business delete information about them (unless the business is required to keep the information);

3) A business’s employees and applicants have a private right of action under the CCPA (see Section 1798.150) IF their personal data is disclosed or stolen as a result of the business’s violation of its duty to implement and maintain reasonable security practices and procedures to protect the personal information.

Where does Greenhouse come in?

With respect to our customers, Greenhouse is a “service provider” under the CCPA’s definition of that term; specifically, Greenhouse is a for-profit corporation that stores and processes California consumers’ personal information on behalf of our customers for a business purpose pursuant to a written contract that prohibits Greenhouse from using or disclosing the personal information for any purpose other than performing the services set forth in that contract.

Accordingly, the CCPA permits our customers to disclose personal information about its employees and applicants to Greenhouse (i.e. by allowing us to store and process it on the customer’s behalf) without requiring consent from the employees or applicants or giving them the opportunity to opt out.

To satisfy the CCPA notice requirement in (1) above, your company can simply include a link to its CCPA-compliant privacy policy in its job posts, which are highly customizable within your instance of our Greenhouse’s recruiting software. Similarly, if your company uses Greenhouse Onboarding, you can easily send the required notice to new hires through the application, just as you do other onboarding paperwork.

To help you comply with the CCPA’s requirements in (2) above, Greenhouse has built-in functionality that gives our customers the ability, at their option, to delete an applicant’s personal information or provide a “candidate packet” that contains all of an applicant’s personal information.

As for the CCPA’s requirement in (3) above regarding security practices and procedures, Greenhouse takes our obligation to keep our customers’ data safe and secure very seriously and we adhere to industry standard best practices, including maintaining SOC2, ISO27001, and ISO27701 certifications.