Come January 1st, 2023, companies subject to the California Consumer Privacy Act (CCPA) will face heightened compliance requirements when collecting personal information about their workers, independent contractors, and job applicants.
I recently spoke to Dror Gurevich, Founder and CEO of Velocity Network Foundation®, a non-profit membership organization that aims to empower individuals to gain agency over their verifiable education and career information and build the Internet of Careers®, about the current privacy landscape in the job market.
Gary Drenik: How do companies currently handle personal information collected in the hiring process? How must this change come January 1st, 2023? Who will be affected?
Dror Gurevich: The California Consumer Privacy Act (CCPA) contains a partial exemption for personal information collected by a business about job applicants, employees, and independent contractors. Effective January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA, the so-called HR exemption will expire, and California employers will face heightened CCPA compliance requirements.
The exemption previously relieved employers from having to comply with many of the CCPA’s obligations relating to their employees’ personal information, such as the requirement to offer consumer data rights when the information is used solely for employment-related actions. This allowed employers more freedom to share this data with 3rd party payroll and benefits vendors, use analytics and machine learning on historical data to improve processes and policies and communicate with relevant, prospective talent pools.
Under the CPRA, employees will have the right to know about the personal information that the business collects about them (Right to Know); the right to delete personal information collected from them, subject to exceptions (Right to Delete); the right to opt out of an employer’s sale or sharing of their personal information (Right to Opt Out of Sale or Sharing) that includes disclosing employee personal information to a vendor, such as a payroll company, without entering into a CPRA service provider agreement with the vendor; and a new right to correct personal information that is inaccurate.
Two additional rights granted to employees, applicants, and independent contractors under the CPRA are the Right to Limit Use and Disclosure of Sensitive Personal Informationand Right to Opt Out of Automated Decision-Making Technology.
The first limits employers’ use and disclosure of “sensitive personal information,” which is defined to include geolocation data, racial or ethnic origin, union membership and the contents of certain employee email and text messages and will impact many of the programs and technologies implemented in the last few years around diversity and inclusion.
The second, the right to opt out of a business’s use of “automated decision-making technology,” which includes profiling employees based on their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, will have an impact on the use of AI and Machine learning technologies by employers.
Drenik: What should job applicants consider before sharing personal information like email, phone number, etc., in the job search process? What should they know about how their personal information is collected/used?
Gurevich: Consumers around the world are increasingly taking action to protect their data, by exercising their data rights under existing privacy laws or by no longer buying from organizations that don’t properly protect their data. According to a recent Prosper Insights & Analytics survey, 72.3% have already taken steps to protect their privacy, including private browsing, turned off mobile trackers, denied permission of mobile apps to track them and changed social media privacy settings. Interestingly, the data shows that younger generations are more likely to be “privacy activists” than older ones. A recent Cisco survey reported over a third of respondents have switched companies or providers over their data policies or data sharing practices, and a quarter have exercised their Data Subject Access Rights including inquiries to organizations about their data and requests to change or delete this data.
While the impact of this movement on the job market has somewhat lagged behind, we are certain to see increasing privacy awareness from job applicants and employees to these aspects.
Drenik: Is there a better way for employers to handle the hiring process in an effort to abide by heightened CCPA requirements come 2023? What sort of technology can make the hiring process more secure for all parties involved?
Gurevich: Employers should approach this with a much broader perspective than simple CPRA compliance. In 2010, Facebook founder and CEO Mark Zuckerberg went on record speaking the same sentiments blathered by the big money data farmers that came before him; none of the cool kids care about privacy. Neither should you. Fast forward to 2022, the cool kids are the “privacy activists” that lead this movement. Employers concerned with their employer brand better pay special attention to privacy aspects or risk losing critical talent.
It is clear that we need a new data-sharing architecture for the job market. The workforce tech industry has come together under the Velocity Network Foundation, to develop and deploy the Internet of Careers®, a game-changing, blockchain-based, decentralized utility layer that replaces the outdated, fragmented way personal information is exchanged across the labor market , empowering individuals to gain agency over their verifiable education and career information.
The watchword for this revolution is “self-sovereign career identity,” which means that individuals will own and manage their academic and employment credentials, and decide who they share it with, maintaining their privacy and security.
Individuals can store and manage their credentials privately on designated mobile wallets and share them when needed. Once shared with a relying party (eg, employers, recruiters, educational institutions), credentials are instantly verifiable and trusted through the blockchain underlying layer. This seamlessly achieves significant reductions in the time and costs associated with talent processes, while supporting compliance by reducing data reliability concerns and risks.
Consent is embedded by design, as well as privacy and security. It will radically change the way people navigate their career and livelihood, and how employers collect and process personal information to make talent decisions.
Drenik: How are workforce tech leaders at companies like AON, SAP and Oracle responding to changing employment processes?
Gurevich: 50 of the largest workforce and education tech vendors in the world came together to run and deploy Velocity Network™, the Internet of Careers®.
The network and its protocols enable workers to claim and stack career and education credentials, store them privately on digital wallets and decide who they share them with. The credentials are issued to the individuals by schools, former and current employers and credentialing or licensing organizations and are tamper-proof and cryptographically secured, hence trusted by relying parties.
The decentralized network is a public utility governed by its members rather than being owned by a single vendor.
Workforce and education tech vendors connect to the network to enable their customers (eg, employers, recruiters) seamless, out-of-the-box, first-party (transacted by the individual herself), private and secured exchange of trusted personal career and education records.
It’s a once-in-a-generation revolution of the labor market. Enabling a rich verifiable self-sovereign career identity is the ‘Great Transformer’ of the global labor market we’ve all been waiting for. Who’s ready for the future of work?
Drenik: Thanks, Dror, for your insights on how the CPRA will impact the world of employment in 2023, and how companies are beginning to prepare now.
.