The state of California has enacted a new law called the California Consumer Privacy Act of 2018 (the CCPA) that took effect on January 1, 2020. The law imposes several obligations on businesses that collect personal information from California residents, and generally expands the rights of California residents to include the right to (a) access their personal information; (b) request that their personal information be deleted; (c) to get information about the collection, sales, and disclosure of their personal information; and (d) to opt out of the sale of their personal information. What you may not know, however, is that the CCPA is largely inapplicable to personal information that a business collects from its employees and job applicants until 2023 at the earliest.
“Personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” The term “consumer” is defined more broadly in the CCPA than it is traditionally used in everyday parlance, and includes not only a business’ customers, but also its employees and job applicants who are California residents, which is where Greenhouse comes in.
Does my company have to comply with the CCPA?
The CCPA applies to any “business,” which is a term of art under the CCPA that refers specifically to a for-profit company that (a) collects personal information (“PI”) of consumers; (b) determines the purposes and means of processing of the PI; (c) does business in California; and (d) meets one of the three additional criteria: (i) has annual gross revenues greater than $25 million, (ii) collects or shares PI from at least 50,000 California residents per year for commercial purposes, or (iii) derives at least 50% of its annual revenue from selling California consumers’ PI.
Obviously, Greenhouse cannot decide whether its individual customers are obligated to comply with the CCPA, as we have thousands of customers and it is a fact-specific determination. If you haven’t already, we encourage you to consult with your company’s own data privacy counsel in order to decide how your organization can best proceed under the law.
If the CCPA applies to my company, what are our obligations with respect to the data we collect to recruit and/or onboard our employees?
As you may have heard, there were some amendments to the CPPA enacted this fall that have delayed enforcement of most aspects of the law with respect to a business’ employee and applicant data until 2023 at the earliest. Indeed, there are only two aspects of the CCPA that currently apply to employee and applicant data:
- As of January 1, 2020, businesses will be required to provide employees and job applicants with a CCPA notice (see Section 100(b)) at the point that their personal information is collected that includes:
- The categories of personal information being collected; and
- The purposes for which each category of personal information will be used
- As of January 1, 2020, a business’s employees and applicants will have a private right of action under the CPPA (see Section 1798.150) if their personal data is disclosed or stolen as a result of the business’s violation of its duty to implement and maintain reasonable security practices and procedures to protect the personal information
Where does Greenhouse come in?
With respect to our customers, Greenhouse is a “service provider” under the CCPA’s definition of that term; specifically, Greenhouse is a for-profit corporation that stores and processes California consumers’ personal information on behalf of our customers for a business purpose pursuant to a written contract that prohibits Greenhouse from using or disclosing the personal information for any purpose other than performing the services set forth in that contract. Accordingly, the CCPA permits our customers to disclose personal information about its employees and applicants to Greenhouse (i.e. by allowing us to store and process it on the customer’s behalf) without requiring consent from the employees or applicants or giving them the opportunity to opt out.
Notably, a business will not be required to comply with its employees' or applicants’ requests to access or delete or opt out of the sale of their personal information until 2023. Nonetheless, Greenhouse already has built-in functionality that gives our customers the ability, at their option, to delete an applicant’s personal information or provide a “candidate packet” that contains all of an applicant’s personal information.
Regarding Greenhouse’s security practices and procedures, we take our obligation to keep our customers’ data safe and secure very seriously and adhere to industry standard best practices, including maintaining SOC2, ISO27001, and ISO2771 certifications.