The CCPA and when privacy law overlooks internal compliance functions

By Stuart L. Pardau

Stuart L. Pardau (stuart.pardau@csun.edu) is a tenured professor at the David Nazarian College of Business and Economics at California State University, Northridge, USA. He also practices law and consults with clients in the areas of privacy and data security, intellectual property licensing, and compliance issues.

Experience informs us that it is not uncommon for different areas of law to conflict and sometimes produce unintended results. The intersection of privacy law and corporate compliance produces some disturbing examples in this regard.

As Exhibit A, take the Federal Trade Commission’s 1999 ruling that the Fair Credit Reporting Act (FCRA) required employers to obtain an alleged sexual harasser’s consent before having the employer’s outside law firm investigate the allegations, or Article 10 of the General Data Protection Regulation (GDPR), which limits the “[p]rocessing of personal data relating to criminal convictions” without carving out exceptions for internal investigations, anticorruption due diligence, export control vetting, or background checks on potential employees.[1]

Similarly, the GDPR’s right to be forgotten, right to object to processing, and right to restrict processing can hamstring internal investigations and due diligence related to hiring. In these and other cases, well-meaning privacy advocates and well-intentioned drafters of statutes fail to unambiguously allow processing of personal data for legitimate compliance and ethics purposes.

The CCPA’s problematic definitions

The California Consumer Privacy Act[2] (CCPA) is yet another example of a law that fails to properly countenance compliance issues. Effective January 1, 2020, CCPA provided California “consumers” (defined as residents of California) with a bundle of new privacy rights, including the right to opt out of the sale of personal information, the right to request deletion of personal information, the right to access personal information, and the right to know what personal information a business has collected and how it is sharing and using that personal information.

Because the definition of consumers does not exclude employees, CCPA applies to all employees who are residents of California, and all references to consumers under the law can be read as references to California employees as well. While CCPA has partially delayed applicability to human resources/personnel information until January 1, 2021 (there is only a limited notice requirement in 2020), all of the above rights will apply to employees after that date. After January 1, 2021, will a California employee have the right to request that his or her employer delete personal information related to potential wrongdoing? If an internal investigation is ongoing, does the employee have a right to know any information the business is collecting from other sources in connection with that investigation?

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings