(Editor: The following is a guest blog post provided by our I-9 partner, Mitratech)
In talent acquisition and recruiting, staying ahead requires an understanding of industry trends and emerging technologies. It is essential to have an awareness of the many compliance laws and regulations governing the recruitment process. Specifically, employee data protection is undergoing significant transformations as each state passes new laws around data privacy. This turmoil puts pressure on HR departments as they are challenged to align hiring practices to be compliant with these new laws, specifically around background screening, I-9 forms, and employment and income verifications.
The California Consumer Privacy Act (CCPA)
One of the first consumer privacy laws enacted was the California Consumer Privacy Act (CCPA) in 2020. This law gives consumers and employees (CA residents) certain rights over the personal information businesses collect about them. Businesses are required to inform consumers about how they collect, use, and retain their personal information. Additionally, the California Privacy Rights Act (CPRA) amended the (CCPA) and went into effect on January 1, 2023. The CPRA amended the CCPA by adding additional consumer and employee privacy rights and obligations around their sensitive personal information (SPI) such as:
- The Right to limit the use and disclosure of SPI
- The Right to opt out of the sale and sharing of their SPI for cross-context behavioral advertising
- The Right to correct inaccurate personal information
- The Right to know what personal information that businesses have collected and how they use and share it
- The Right to equal treatment for exercising these rights
- The Right to delete SPI businesses have collected from them
- The Right to access data: personal information data, categories/sources/collection purposes, and 3rd party disclosures and sales to employees when requested.
Legal Developments Since CPRA
Here’s an overview of the recent legal developments that came about since the CPRA:
- Virginia’s Consumer Data Protection Act (VCDPA) is structurally similar to the CPRA and went into effect on January 1, 2023.
- Colorado’s Privacy Act (CPA) is similar to the VCDPA and went into effect on July 1, 2023.
- The Connecticut Data Privacy Act (CTDPA) went into effect on July 1, 2023.
- The Utah Consumer Privacy Act (UCPA) takes a more business-friendly approach to consumer privacy and will go into effect starting December 31, 2023.
- The Florida Digital Bill of Rights (FDBR) will take effect on July 1, 2024. The FDBR is similar to other data privacy laws, however it incorporates several unique provisions that expand opt-out rights, protections for children online, and prohibitions on government officials moderating content.
- Iowa’s Consumer Data Protection Act (ICDPA) is similar to the UCPA and will take effect on January 1, 2025.
- Indiana Consumer Data Protection (INCDPA) is similar to other consumer privacy laws and will become effective on January 1, 2026.
- Montana’s Consumer Data Privacy Act (MTCDPA) is similar to other consumer privacy laws and will go into effect October 1, 2024.
- Texas’ Data Privacy and Security Act (TDPSA) follows suit with other data privacy laws and will become effective on July 1, 2024.
- Tennessee’s information Protection Act (TIPA) is similar to the UCPA and becomes effective on July 1, 2025.
- The Wisconsin House passed Assembly Bill 957, similar to the VCDPA. If adopted, the law will go into effect on January 1, 2024.
- Ohio’s House Bill 376, the Ohio Personal Privacy Act, is one of the few US states to have data protection regulation in place for its citizens’ data privacy.
California Leads the Way
Although California is the only state to include employee data privacy, it is an indicator of the growing trend of considering the extension of privacy rights to employee data. Because of these new and upcoming state-level regulations, protecting sensitive employee information is becoming more crucial to future-proofing your compliance. As we rely more on data-driven decisions, maintaining the confidentiality of employee data is not only a legal requirement but builds trust within the workplace. Failure to handle sensitive employee information with care can lead to legal consequences, data breaches, information misuse, or harm an organization’s reputation.
1. Data Subject Rights
The CPRA and other similar laws are crafted entirely around data subject rights. Data subject rights grant individuals control over their personal information. Under the CPRA, employees have these rights:
- The right to access
- The right to delete
- The right to correct
- The right to opt out of the sale or sharing of personal data
- The right to limit the disclosure of personal data
- The right to opt-in to financial incentives for processes of personal data
- The right to access information on automated decision-making
- The right to opt out of automated decision-making; and
- The right to non-discrimination for exercising these rights.
The process for handling data subject requests begins with a clear and accessible avenue for individuals to submit their requests. The business must honor them free of cost within 45 days or risk facing a penalty. After requests are made, the business should promptly respond to the request, whether it be providing access, correcting inaccuracies, or deleting the data. They must also communicate with any third parties to update the information in their systems per the request of the consumer.
According to the CPRA, privacy policies must notify employees before or at the point of collection of their personal information. This notice must include:
- Categories of personal information to be collected
- Purposes for which the information is to be collected
- Whether this information is sold or shared – the employee must be given the option to opt-out
- The retention period of keeping their personal information or the method used to determine a reasonable period.
- A list of categories of personal information it has collected in the preceding 12 months
- Categories of sources where it has collected the information
- Business or commercial purposes for collecting, selling, or sharing the information
- Whether the business sells or shares employees’ personal information or discloses it for a business purpose
- If the business sells or shares information, a list of the categories of personal information it has sold or shared in the preceding 12 months
- If the business discloses the information, a list of the categories it has disclosed in the preceding 12 months
- Categories of third parties to whom the business discloses employees’ personal information
- Employees’ data privacy rights under the CPRA and the method to exercise them.
Consent management ensures that individuals provide explicit permission for the collection and processing of their personal information. The Fair Credit Reporting Act (FCRA) requires businesses to obtain explicit consent from job applicants before conducting any background screening and to verify their employment. Companies must also provide an applicant with a disclosure form informing the candidate that you will be checking their background for employment purposes.
3. Data Minimization
Data minimization means an organization should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose. According to the CPRA, businesses cannot process data beyond what’s “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”
Adhering to the principle of data minimization requires regular reviews and updates of the collected data. Routine assessments enable organizations to reevaluate the relevance and necessity of the data. Assessments allow organizations to identify and eliminate any information that no longer serves a legitimate purpose. Doing so minimizes the risk of unauthorized access or misuse and streamlines their data storage practices, promoting efficiency and transparency.
4. Secure Data Storage and Access Controls
Every business must take adequate technical and organizational measures to prevent data breaches. Not only will they harm an organization’s reputation, but they will also lead to violations of the CPRA.
The CPRA states that a business that collects a consumer’s personal information “shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure.”
Estimating these potential data risks and determining the adequate processes to ensure your data is secure is important. Conduct regular risk assessments to determine whether the benefits of processing sensitive personal information outweigh the risks to consumers, the public, and your business. Additionally, you should perform cybersecurity audits at least once a year.
Secure data storage involves implementing measures to protect sensitive information from unauthorized access, disclosure, alteration, and loss. Several key elements include:
- Access Controls
- Secure Storage Infrastructure
- Regular backups
- Physical Security
- Secure Protocols
- Data Masking and Anonymization
Data access controls refer to the mechanisms and policies put in place to manage and restrict access to confidential data within an organization. This involves assigning specific permissions and privileges to individuals based on their roles and responsibilities, ensuring that only authorized personnel can access, modify, or disseminate sets of data.
Prioritizing these practices helps organizations safeguard privacy, maintain regulatory compliance, and build trust in handling sensitive data during the hiring process.
5. Retention and Deletion Policies
Retaining employee data is necessary for background screening, I-9 management, payroll, and more. However, organizations must establish clear policies, timeframes, and protocols for retaining applicant and employee data. Organizations should delete of data that is no longer required.
The CPRA states businesses “shall not retain a consumer’s personal information…for longer than is reasonably necessary for that disclosed purpose.” Not only should the personal information be used for its intended and disclosed purpose, but that information cannot be kept indefinitely.
Striking a balance between retaining essential information and regularly purging outdated records is crucial for maintaining data integrity, protecting employee privacy, and fulfilling legal obligations. Regularly review and update these policies according to the changing data protection regulations to keep up with new laws and amendments.
6. Training and Awareness
HR professionals play a pivotal role in ensuring the lawful and ethical handling of employee data. Comprehensive training equips HR staff with a deep understanding of data protection laws, such as the CPRA, fostering compliance, and minimizing the risk of legal repercussions. It allows them to implement robust data security measures, enforce access controls, and respond effectively to inquiries from consumers on their personal information and data breaches.
Moreover, a well-informed HR team builds a culture of privacy and security awareness, instilling trust among employees and applicants that their personal information is handled with utmost care and integrity. Ultimately, investing in the continuous education of HR personnel on data privacy safeguards both the organization and its employees. This investment reinforces a commitment to ethical data practices and legal adherence.
7. Selecting Vendors
When selecting vendors for background screening, I-9 systems, and employment and income verifications, it’s crucial to prioritize those that comply with data privacy laws and other regulations. Organizations should evaluate the vendors’ commitment to data privacy and security to ensure they adhere to industry-specific laws and regulations. Vendors must be transparent about data handling processes, encryption practices, access controls, and mechanisms for data breaches or incidents.
Electronic I-9 systems, such as Tracker I-9, can help eliminate risk and ensure compliance. These systems offer built-in error checks to catch mistakes, offer secure storage options to protect from unauthorized access and provide for easy retrieval during audits.
Comprehensive background screening solutions, such as AssureHire, are accredited by the Professional Background Screening Association (PBSA) and SOC2 certified. AssureHire provides detailed and accurate reports on background check findings, ensuring that employers have the necessary information to make informed hiring decisions. The reports comply with disclosure requirements and include only relevant and permissible information.
Automated income verification services through the Vault EDGe Gateway ensure compliance with data privacy laws and FCRA through the integration with Tracker I-9 and AssureHire. Employment details are accessed directly from the employer’s records to reduce risk. This solution provides high-tech encryption, secure data centers, and security protocols that eliminate “send-and-store” file feeds.
Cutting-edge Technology and Strategic Partnerships for Compliant Workplaces
Adhering to data privacy laws is essential to HR processes’ ethical and legal dimensions. As HR professionals navigate data privacy regulations, embracing these standards mitigates legal risks and demonstrates a commitment to respecting individuals’ privacy rights. From privacy policies and consent management to implementing secure storage, these principles create a foundation of trust between employers and their candidates and employees.
For HR professionals, Vault Verify’s partner, Mitratech, provides an end-to-end suite of solutions including background screening and form I-9. AssureHire is a leading provider of candidate-friendly background screening solutions, dedicated to making the hiring process more accessible and convenient for both employers and job seekers. With a strong focus on candidate experience, AssureHire ensures that the screening process is efficient, transparent, and respectful of individuals’ privacy rights.
Tracker I-9 is a user-friendly software that simplifies the Form I-9 process, reduces compliance risks, and offers features such as electronic storage, automated updates, and robust data security. With its intuitive interface and dedicated customer support, Tracker I-9 is an ideal choice for organizations seeking efficient and reliable Form I-9 management.
With our partnership with Mitratech, we can offer more advantages through our EDGe Gateway solution at a reduced price.
The Vault EDGe Gateway provides real-time data for Tracker I-9 and AssureHire through API integration. Learn how this partnership greatly reduces potential employee data exposure and manual admin work.
If you would like to learn more about Vault Verify’s employment and income verification services, and see how our real-time API protects employee data, please request a demo.
For more blog content, be sure to subscribe to stay notified of new blogs.
Miranda Knudtson is the Partner Marketing Manager of the HRC business unit at Mitratech. Miranda works closely with the Partnership team to develop and execute comprehensive partner marketing strategies and programs to generate demand, increase brand awareness, and drive revenue growth. She collaborates with channel partners to create co-branded campaigns, webinars, events, and various marketing initiatives to foster partner engagement and customer acquisition for Mitratech and their channel partners.
Outside of her role, Miranda enjoys reading, painting and other crafts, along with traveling to National Parks with her partner.