Can I use third-party HR tools that collect personal information in California? What are the requirements?

Using Third-Party HR Tools in California

Yes, you can use third-party HR tools that collect personal information in California, but you must comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) ^[1.5].

Requirements

To comply with these laws, you must provide consumers with a privacy notice that accurately reflects your privacy policies and practices ^[1.5][1.4]. The notice must be provided to the consumer before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party, unless the disclosure is authorized by California Insurance Code Section 791.13 or you have a customer relationship with the consumer ^[1.5].

If you make any material changes to your privacy policies or practices, you must provide a clear and conspicuous revised notice to the consumer that accurately describes the changes ^[1.6]. You must also provide a new opt-out notice that complies with section 2689.8 ^[1.6].

In addition, you must ensure the security and confidentiality of customer information and protect against any anticipated threats or hazards to the security or integrity of such information ^[1.9][1.7].

Within 90 days of the effective date of these regulations, all contracts that a licensee enters into or has entered into with a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf shall include or be amended to include a written requirement that the third party maintain the confidentiality of nonpublic personal information where the nonaffiliated third party obtains confidential nonpublic personal information in connection with the contract ^[1.2].

Failure to comply with these laws can result in significant penalties and legal liability. Therefore, it is important to consult with legal counsel to ensure that your HR tools and practices are in compliance with California privacy laws.

^[1.5]: 10 CACR Section 2689.5 ^[1.4]: 10 CACR Section 2689.7 ^[1.6]: 10 CACR Section 2689.9 ^[1.9]: 10 CACR Section 2689.15 ^[1.7]: 10 CACR Section 2689.14 ^[1.2]: 10 CACR Section 2689.24

Source(s):

• [1.2] Effective Date; Contracts with Nonaffiliated Third Parties.
• [1.4] Information to be Included in Privacy Notices.
• [1.5] Initial Privacy Notice.
• [1.6] Revised Privacy Notices.
• [1.7] Information Security Program.
• [1.9] Objectives of Information Security Program.

Jurisdiction

California

• Privacy