Why PEOs Need to Pay Particular Attention to New Data Privacy Rules – And the 1 Key Move You Should Make Immediately

Usama Kahf, John Polson
Fisher Phillips
Contact
LinkedIn
Facebook
X
Send
Embed

Fisher Phillips

The news that California regulators can immediately begin enforcing new data privacy regulations will have an outsized impact on the PEO community. A surprise February 9 decision from a state appeals court pressed fast-forward on California Consumer Privacy Act (CCPA) compliance that most employers thought wouldn’t hit home right away. As you’re reading this, prying eyes and website trolls are scouring the internet looking to take advantage of this new opportunity – and employees may become aware of their new rights and jolt you into this new era of exposure. Read on for a quick summary of what went down, why this news is particularly important to PEOs – and what you can do to protect your organization.

What Went Down

  • New CCPA regulations took effect in March 2023 that provide consumers additional data privacy rights – and in California, this also includes a PEO’s worksite employees. Along with these additional rights come additional obligations on businesses, including PEOs.
  • Just because your business is not located in California doesn’t mean you can ignore the CCPA. You could be a covered business if you have one client in California and collect personal information from even a single California worksite employee.
  • Regulators built in a grace period to start enforcing them until July 1, 2023.
  • On the eve of that date, a California court delayed enforcement and concluded they could not be enforced until March 29, 2024.
  • The California Privacy Protection Agency and the California Attorney General appealed the decision.
  • On February 9, an appellate court determined that the Agency and the AG have authority to immediately enforce the regulations and don’t have to wait until late March month to begin enforcement.

Why PEOs are in the Crosshairs

To be perfectly blunt, your average employer doesn’t have to worry about immediate enforcement of the new regulations. That’s because most employers are (relatively) small enough to fly under the radar of state regulators. They just don’t have the resources to scour the state (and country) looking for violators, so their focus will likely be on larger businesses.

But PEOs? That’s a different story. PEOs are not “most” employers. The nature of your operations means you support many different small businesses and have more worksite employees as your “consumers.” If you support 1,000 businesses, for example, each with somewhere between 30 and 100 employees, you now have tens of thousands of people under your portfolio. And that is bound to catch the attention of data privacy regulators – even if you are a local or regional PEO.

Put simply, the sheer number of worksite employees involved with the average PEO puts you at higher risk than most employers.

What Should You Do?

Fisher Phillips has created a seven-step compliance plan to help covered businesses prepare for this new era of enforcement and exposure. You can access that plan here. The best place to start is a gap assessment of your data privacy practices, which can be completed in one day by our consulting subsidiary fpSOLUTIONS, among other Data Privacy Compliance services.

But the key step for PEOs? Immediately implement a worksite employee privacy policy.

  • The new regulations require businesses to make available to worksite employees a privacy policy that, among other things, informs them about how they can exercise their new CCPA rights.
  • They also require you to list each category of personal information and sensitive information collected, the purpose for each category, any category that is sold or shared, and the retention period for each category of personal information.
  • The policy must be simple and easy to understand with minimal to no “legalese.” It must be made available in other languages if you already provide worksite employees with legal notices in another language.

Since you are likely to be scrutinized by a regulator or opportunistic plaintiffs’ attorney at some point given your status as a PEO, you need to pay particular attention to the content of your privacy policy. The time is now to update your privacy policy. This means you need to do much work to put yourself in the best position to succeed.

The bottom line – if you have not updated your CCPA notices since 2022 or earlier – or if you have never provided such notices – you should act quickly to implement new notices and stay compliant with the ever-changing law.

This article is reprinted with permission from PEO Insider where it appeared in the April 2024 edition, available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fisher Phillips | Attorney Advertising

Written by:

Fisher Phillips
Fisher Phillips
Contact
more
less

Fisher Phillips on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide