With the enactment of the Colorado Privacy Act on July 7, 2021, Colorado now joins Virginia1 in transforming the first major state privacy law, the California Consumer Privacy Act (CCPA), from an outlier into what now appears to be the beginning of an inevitable trend. Employers must start addressing this trend not just because the CCPA and its upcoming successor, the California Privacy Rights Act (CPRA), apply to the personal information of individuals in the employment context (HR data), but also because more states are poised to follow suit. Although the Colorado Privacy Act and Virginia’s Consumer Data Protection Act (VACDPA) do not apply to HR data, they are likely to become a model for future state laws that do cover HR data. Moreover, both laws impose demanding compliance obligations that many companies are likely to meet only with the help of the company’s human resources department, and they add to the crunch that companies will face in late 2022 as they race to meet multiple privacy laws’ compliance deadlines.
Employers Must Start Planning to Address New State Privacy Laws that Regulate the Handling of HR Data
The new Colorado and Virginia laws are part of a flurry of privacy bills in statehouses across the country sparked by the CCPA and the CPRA. These bills show the growing, nationwide appetite for increased privacy protection. About two dozen bills with substantial elements of the CCPA and CPRA are now pending in state legislatures. Approximately one-half of these laws would apply to HR data in addition to consumer data. In addition, at the federal level, both Democrats and Republicans have introduced competing bills for comprehensive privacy laws.
The Colorado Privacy Act and VACDPA Could be the Models for Future Privacy Laws Applicable to HR Data
While the CCPA and CPRA are the first and only broad data protection laws to apply to HR data, new laws are more likely to follow Colorado’s and Virginia’s models for three reasons. First, both laws are substantially better drafted and more coherent than either the CCPA or the CPRA. Second, the Colorado Privacy Act and VACPDA impose less burden on business while, in many ways, offering stronger privacy protections. Third, the two laws are quite similar, suggesting that they represent an emerging consensus on the key features of a comprehensive privacy law in the United States. They may, therefore, show us the shape of future federal and state privacy laws that regulate HR data.
What are the key features of these laws? Both laws are limited in bite and in scope. Neither law grants a private right of action, leaving enforcement to the state attorney general and, in Colorado’s case, district attorneys. The Colorado and Virginia laws apply only to companies that handle the personal data of more than 100,000 state residents or, if a company sells personal data, the personal data of more than 25,000 state residents.
For companies that must comply, however, the burdens could be onerous, albeit less so than under the California laws. The Colorado Privacy Act and VACDPA have, in essence, three parts: controller obligations, processor obligations, and individual data rights.
The vast majority of these laws’ obligations fall on “controllers.” A controller, defined as the entity that determines the purposes and means of processing (an employer would be considered a controller), must take steps including the following:
- take reasonable measures to safeguard personal data from unauthorized acquisition;
- obtain consent before processing sensitive personal data;
- pass down, by contract, most obligations to processors; and
- properly respond to requests by individuals to exercise their data rights.
In addition, controllers must conduct and document a data protection assessment before certain types of higher-risk processing — for example, processing sensitive personal data, such as race, religion or sexual orientation.
Processors, defined as entities that process personal data on behalf of a controller, are subject to both statutory and contractual obligations. Controllers must bind processors, by written agreement, to obligations, including: (a) to process personal data only pursuant to the controller’s instructions; (b) to provide the same types of protections for personal data that apply to controllers; and (c) to ensure that each person handling personal data is subject to a duty of confidentiality. In addition, Colorado’s and Virginia’s laws impose independent obligations on processors, such as to enter “downstream” agreements with subcontractors to ensure that protections flow with the personal information and to assist the controller with responding to requests to exercise data rights.
Individual Data Rights
The Colorado Privacy Act and VACDPA provide state residents with a panoply of rights. These rights include the rights to access, correct, delete, and obtain copies of their personal data held by controllers and by processors on a controller’s behalf. Both laws also establish detailed procedures that controllers must follow when responding to requests.
Compliance with Privacy Laws that do not Apply to HR Data May Still Require HR’s Involvement
Human resources professionals cannot ignore state privacy laws, like the Colorado Privacy Act and the VACDPA, just because they do not apply to HR data. A large part of an organization’s privacy compliance program will rest on the shoulders of staff. Organizations will need a governance structure, administrative processes, and training.
The human resources department may find itself intimately involved in developing this “people” aspect of the privacy compliance program. For example, every employee who deals with the public at an organization subject to the Colorado Privacy Act or VACDPA will need basic instruction on how to route an individual’s request to exercise data rights.
Planning is Critical as a Data Privacy “Compliance Crunch” is Approaching
For those outside the privacy world, January 1, 2023 may not have much significance. For privacy professionals, New Year’s Day 2023 has become a form of D-Day, where the “D” stands for “data protection.” On that date, the California Privacy Rights Act goes into effect with its expansive obligations for HR data. Of concern to U.S. multinationals with employees in the European Union (EU), new cross-border data transfer requirements will come into force just days before January 1, 2023.4 Piling on, the VACDPA also goes into effect on January 1, 2023, and the Colorado Privacy Act has set its compliance deadline only six months later, on July 1, 2023. The result at many organizations will be overwhelmed IT and compliance departments from mid-2022 into late 2023.
To avoid the worst of the crunch, human resources departments should consider taking advantage of the summer lull to start sizing up and planning their compliance projects if their organization has employees who reside in California or the EU. Organizations with substantial operations in California or the EU should consider initiating the compliance work by late 2022 to ensure ample time to complete what likely will be a substantial undertaking. To the extent that the organization also is subject to the Colorado Privacy Act or the VACDPA, that lead time will be critical as other internal departments — such as, legal, procurement, IT, and privacy/compliance — are likely to be stretched thin with increasingly reduced availability to support HR as data protection D-Day approaches.
Finally, organizations should keep an eye out for additional privacy legislation that does apply in full to HR data. Given the number of pending bills, we may soon see more laws enacted like the Colorado Privacy Act and the VACDPA, and some of these laws likely will apply to HR data.