Sephora paid a hefty legal bill over privacy violations. Here’s why it matters for HR.

Sephora forked over $1.2 million in fines in August to California’s attorney general for improperly sharing consumer data with third parties in violation of the state’s Consumer Privacy Act (CCPA). While some HR professionals may read this and say, “Gee, that’s a lot of money” and move on with their day, those with operations in the Golden State should pay close attention.

Hold on, what’s happening? The CCPA requires businesses to let California residents know what “personal information”—such as names, email addresses, education records, and biometric data—they collect and, in some cases, what information they infer, like demographic data. HR data has been exempted, but on January 1, that will change.

On the same day, the California Privacy Rights Act (CPRA), an expansion of big brother CCPA, will go into effect. There will be no exemption for HR.

As of January 2023, any for-profit company that does business in California and has a gross revenue of more than $25 million will have to ensure its handling of people data, including employee, applicant, independent contractor, and dependent data, complies with the CCPA and CPRA.

Employers will have to notify California-based employees when they’re collecting sensitive, personal information, and tell them how they’ll use it and how long they will keep it. Critically, they must also allow these employees to opt out of such data collection and, in some cases, delete their previously collected personal data.

And a data-driven field has…a lot of data. In HR, “personal information,” Proskauer attorneys Ryan Blaney and Jonathan Mollod explained, means anything that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In their opinion, the CCPA and CPRA cover everything from email data to geolocation tracking on company vehicles to performance reviews.

Employers will also be on the hook for data collected by third parties, Mark Wallin, partner at Barnes & Thornburg, told HR Brew. People teams that work with vendors to perform tasks such as benefit management or onboarding will need to ensure their contracts are in compliance with the new regulation.

In all, Blaney and Mollod characterized the situation as an “impending compliance mess” for HR.

We’re sweating. What do we do? The good news, according to Wallin, is that HR shouldn’t have an issue giving employees notice about new data collection—businesses complying with the CCPA have proven it can be done with simple on-screen messages. What’s trickier, he said, is establishing processes for employees who want to review or delete already collected data.

“They have to make sure that that's set up in a way that it can be responded to in a timely fashion, and have a system of mapping so that they know where all that data is, so that it can be done in a comprehensive way,” Wallin said. Across the country, many HR departments are frustrated by inconsistent data management processes. Wallin said mapping the data as he described “isn’t always intuitive” and will be one of the largest compliance hurdles HR should consider now.

Get going. Wallin called the penalties levied against Sephora a “warning” sign for HR, noting that the penalties for mishandling employee data are likely to be equally steep—and can add up quickly. Each and every employee violation can run a company between $2,500 and $7,500.

“HR folks and companies are going to have to be mindful that the penalties certainly can be quite large, especially because if you're doing it wrong for somebody, it's likely that you could be doing it wrong for a number of people,” Wallin said.—SV

Do you work in HR or have information about your HR department we should know? Email [email protected] or DM @SusannaVogel1 on Twitter. For completely confidential conversations, ask Susanna for her number on Signal.