First it was California (version 1 and version 2); then it was Virginia. Now it is Colorado. IT IS NOT GOING TO STOP THERE.
California’s CCPA covered human resources data somewhat. CPRA covers it completely and will require HR departments to create programs to protect HR data.
This includes notices at the time data is collected, new data privacy practices, new rules for third parties that the company uses and procedures for when employees exercise their rights.
While Virginia and Colorado were the next two dominoes to fall, there are about two dozen bills in various state houses.
Some of these cover HR data; others do not.
The Colorado and Virginia are more likely to be the model going forward – with, of course, twists and turns. In part, this is because these laws are written more coherently. Of course that doesn’t mean that some states won’t model their laws after the California.
Unlike California, the Colorado and Virginia laws do not allow for a private right of action – a key contention in getting an agreement for a national privacy law. The Colorado law does allow local district attorneys to go after violators.
All of these laws have three different sets of responsibilities –
- Data controllers – the company or person responsible for the data
- Data processors – an organization that acts as an agent for the controller and in some way processes the data
- The individuals – who have new data rights
Even if the law in a particular state does not affect employee data, HR is likely going to need to be involved anyway. New policies and programs will affect employees in many ways and HR will need to help companies navigate the new path.
and, of course, companies are going to need to figure out where their customers and visitors are located because the laws effect is based on their location, not yours.
In addition, companies will need to engage legal talent, whether internal or external.
January 1, 2023 is really not that far away.
For more details, see this article at JD Supra