As Colorado and Virginia Follow California’s Lead in Enacting Data Privacy Laws, Employers Must Start Planning to Address an Inevitable Trend

With the enactment of the Colorado Privacy Act on July 7, 2021, Colorado now joins Virginia1 in transforming the first major state privacy law, the California Consumer Privacy Act (CCPA), from an outlier into what now appears to be the beginning of an inevitable trend.  Employers must start addressing this trend not just because the CCPA and its upcoming successor, the California Privacy Rights Act (CPRA), apply to the personal information of individuals in the employment context (HR data), but also because more states are poised to follow suit.  Although the Colorado Privacy Act and Virginia’s Consumer Data Protection Act (VACDPA) do not apply to HR data, they are likely to become a model for future state laws that do cover HR data.  Moreover, both laws impose demanding compliance obligations that many companies are likely to meet only with the help of the company’s human resources department, and they add to the crunch that companies will face in late 2022 as they race to meet multiple privacy laws’ compliance deadlines.  

Employers Must Start Planning to Address New State Privacy Laws that Regulate the Handling of HR Data

While the CCPA applies only in part to HR data,2 the CPRA, when it goes into effect on January 1, 2023, will apply in full to HR data.  The CPRA will require employers to implement comprehensive privacy programs for HR data.  These programs will need to address, for example, (a) updated “notices at collection” and a new employee privacy policy, (b) extensive review of data collection practices, (c) information security for HR data and security incident response, (d) contracting with service providers and other third parties that receive HR data, (e) data retention and destruction schedules, and (f) procedures for administering requests from applicants, employees, and contractors to exercise their rights.3

The new Colorado and Virginia laws are part of a flurry of privacy bills in statehouses across the country sparked by the CCPA and the CPRA.  These bills show the growing, nationwide appetite for increased privacy protection.  About two dozen bills with substantial elements of the CCPA and CPRA are now pending in state legislatures. Approximately one-half of these laws would apply to HR data in addition to consumer data. In addition, at the federal level, both Democrats and Republicans have introduced competing bills for comprehensive privacy laws.

The Colorado Privacy Act and VACDPA Could be the Models for Future Privacy Laws Applicable to HR Data

While the CCPA and CPRA are the first and only broad data protection laws to apply to HR data, new laws are more likely to follow Colorado’s and Virginia’s models for three reasons. First, both laws are substantially better drafted and more coherent than either the CCPA or the CPRA.  Second, the Colorado Privacy Act and VACPDA impose less burden on business while, in many ways, offering stronger privacy protections.  Third, the two laws are quite similar, suggesting that they represent an emerging consensus on the key features of a comprehensive privacy law in the United States.  They may, therefore, show us the shape of future federal and state privacy laws that regulate HR data.

What are the key features of these laws?  Both laws are limited in bite and in scope. Neither law grants a private right of action, leaving enforcement to the state attorney general and, in Colorado’s case, district attorneys.  The Colorado and Virginia laws apply only to companies that handle the personal data of more than 100,000 state residents or, if a company sells personal data, the personal data of more than 25,000 state residents.  

For companies that must comply, however, the burdens could be onerous, albeit less so than under the California laws. The Colorado Privacy Act and VACDPA have, in essence, three parts: controller obligations, processor obligations, and individual data rights.

Controller Obligations

The vast majority of these laws’ obligations fall on “controllers.” A controller, defined as the entity that determines the purposes and means of processing (an employer would be considered a controller), must take steps including the following:

  • post a detailed privacy policy;
  • process personal data only as described in that privacy policy;
  • take reasonable measures to safeguard personal data from unauthorized acquisition;
  • obtain consent before processing sensitive personal data;
  • pass down, by contract, most obligations to processors; and
  • properly respond to requests by individuals to exercise their data rights.

In addition, controllers must conduct and document a data protection assessment before certain types of higher-risk processing — for example, processing sensitive personal data, such as race, religion or sexual orientation.

Processor Obligations

Processors, defined as entities that process personal data on behalf of a controller, are subject to both statutory and contractual obligations.  Controllers must bind processors, by written agreement, to obligations, including: (a) to process personal data only pursuant to the controller’s instructions; (b) to provide the same types of protections for personal data that apply to controllers; and (c) to ensure that each person handling personal data is subject to a duty of confidentiality.  In addition, Colorado’s and Virginia’s laws impose independent obligations on processors, such as to enter “downstream” agreements with subcontractors to ensure that protections flow with the personal information and to assist the controller with responding to requests to exercise data rights.

Individual Data Rights

The Colorado Privacy Act and VACDPA provide state residents with a panoply of rights.  These rights include the rights to access, correct, delete, and obtain copies of their personal data held by controllers and by processors on a controller’s behalf.  Both laws also establish detailed procedures that controllers must follow when responding to requests.

Compliance with Privacy Laws that do not Apply to HR Data May Still Require HR’s Involvement

Human resources professionals cannot ignore state privacy laws, like the Colorado Privacy Act and the VACDPA, just because they do not apply to HR data.  A large part of an organization’s privacy compliance program will rest on the shoulders of staff.  Organizations will need a governance structure, administrative processes, and training.

The human resources department may find itself intimately involved in developing this “people” aspect of the privacy compliance program. For example, every employee who deals with the public at an organization subject to the Colorado Privacy Act or VACDPA will need basic instruction on how to route an individual’s request to exercise data rights.

Planning is Critical as a Data Privacy “Compliance Crunch” is Approaching

For those outside the privacy world, January 1, 2023 may not have much significance. For privacy professionals, New Year’s Day 2023 has become a form of D-Day, where the “D” stands for “data protection.”  On that date, the California Privacy Rights Act goes into effect with its expansive obligations for HR data. Of concern to U.S. multinationals with employees in the European Union (EU), new cross-border data transfer requirements will come into force just days before January 1, 2023.4  Piling on, the VACDPA also goes into effect on January 1, 2023, and the Colorado Privacy Act has set its compliance deadline only six months later, on July 1, 2023.  The result at many organizations will be overwhelmed IT and compliance departments from mid-2022 into late 2023. 

To avoid the worst of the crunch, human resources departments should consider taking advantage of the summer lull to start sizing up and planning their compliance projects if their organization has employees who reside in California or the EU.  Organizations with substantial operations in California or the EU should consider initiating the compliance work by late 2022 to ensure ample time to complete what likely will be a substantial undertaking.  To the extent that the organization also is subject to the Colorado Privacy Act or the VACDPA, that lead time will be critical as other internal departments — such as, legal, procurement, IT, and privacy/compliance — are likely to be stretched thin with increasingly reduced availability to support HR as data protection D-Day approaches.

Finally, organizations should keep an eye out for additional privacy legislation that does apply in full to HR data. Given the number of pending bills, we may soon see more laws enacted like the Colorado Privacy Act and the VACDPA, and some of these laws likely will apply to HR data.

See Footnotes

1 See S.B. 21-190 (Col. 2021); S.B. 1392 (Va. 2021).

2 For more information on the CCPA’s compliance requirements, please see Philip Gordon, Kwabena Appenteng, and Zoe Argento, Employers Receive Last-Minute Reprieve From The Most Onerous CCPA Compliance Obligations, Littler Insight (Sept. 17, 2019).  

4 For more information, please see Philip Gordon, Zoe Argento, and Kwabena Appenteng, The European Union’s New Standardized Data Transfer Agreement: Implications for Multinational Employers, Littler Insight (June 9, 2021).  

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.