Stuart L. Pardau (firstname.lastname@example.org) is a tenured professor at the David Nazarian College of Business and Economics at California State University, Northridge, USA. He also practices law and consults with clients in the areas of privacy and data security, intellectual property licensing, and compliance issues.
Experience informs us that it is not uncommon for different areas of law to conflict and sometimes produce unintended results. The intersection of privacy law and corporate compliance produces some disturbing examples in this regard.
As Exhibit A, take the Federal Trade Commission’s 1999 ruling that the Fair Credit Reporting Act (FCRA) required employers to obtain an alleged sexual harasser’s consent before having the employer’s outside law firm investigate the allegations, or Article 10 of the General Data Protection Regulation (GDPR), which limits the “[p]rocessing of personal data relating to criminal convictions” without carving out exceptions for internal investigations, anticorruption due diligence, export control vetting, or background checks on potential employees.
Similarly, the GDPR’s right to be forgotten, right to object to processing, and right to restrict processing can hamstring internal investigations and due diligence related to hiring. In these and other cases, well-meaning privacy advocates and well-intentioned drafters of statutes fail to unambiguously allow processing of personal data for legitimate compliance and ethics purposes.
The CCPA’s problematic definitions
The California Consumer Privacy Act (CCPA) is yet another example of a law that fails to properly countenance compliance issues. Effective January 1, 2020, CCPA provided California “consumers” (defined as residents of California) with a bundle of new privacy rights, including the right to opt out of the sale of personal information, the right to request deletion of personal information, the right to access personal information, and the right to know what personal information a business has collected and how it is sharing and using that personal information.
Because the definition of consumers does not exclude employees, CCPA applies to all employees who are residents of California, and all references to consumers under the law can be read as references to California employees as well. While CCPA has partially delayed applicability to human resources/personnel information until January 1, 2021 (there is only a limited notice requirement in 2020), all of the above rights will apply to employees after that date. After January 1, 2021, will a California employee have the right to request that his or her employer delete personal information related to potential wrongdoing? If an internal investigation is ongoing, does the employee have a right to know any information the business is collecting from other sources in connection with that investigation?