CCPA, GDPR, AND CIPA - Oh My! Data Privacy Policies Employers Should Know About to be #PrivacyAware

CCPA, GDPR, AND CIPA - Oh My! Data Privacy Policies Employers Should Know About to be #PrivacyAware

Today is Data Privacy Day, and it’s important to be #PrivacyAware, even for those in talent acquisition and recruitment marketing.

But what does #PrivacyAware mean? It means that any businesses that collect any personal information or data should have an awareness of (and take action as necessary to be compliant with) data privacy laws and policies. There’s no exception for the recruitment industry.

With the increasing use of AI, careers sites, talent pools, and other technologies that capture personal information for the job application, hiring and onboarding processes, it’s critically important to protect the personal data and privacy of both your candidates and your employees. 

From CIPA to GDPR to CCPA, there are some big changes that have taken place recently, or are coming soon, that will affect business teams everywhere, including recruitment marketing. When it comes to data privacy and talent acquisition, it’s important to know that candidate and employee data is subject to the same (if not more!) protections as consumer data. 

So, here are a few data privacy laws and policies that you may have heard about, and a high-level look at what employers need to know about them.


Data Privacy Policies & Laws Employers Should Know About


California Consumer Privacy Act (CCPA)

Start Date: January 1, 2020

What is it: CCPA allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with, plus other protections. 

Who it affects: This new law also affects businesses (and employers) around the world, not just those located in California. So, don’t skip this section if you’re not located in the golden state! 

Any companies that serve California residents in some way (this includes you, employers!) and have at least $25 million in annual revenue must comply with the law. Additionally, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. 

It’s important to note that companies don't have to be based in California or have a physical presence there to fall under the law. In fact, an organization doesn’t even have to be based in the United States for CCPA to apply!

Under this act, all California residents’ personal information is protected. Personal information is defined as “any information that relates to a particular consumer or household.” 

Read the full California Consumer Privacy Act (CCPA) here. 


General Data Protection Regulation (GDPR)

Start Date: May 25, 2018

What is it: GDPR is an EU data privacy regulation designed to give more protection to European citizens over their own personal data that they share with businesses.

Who It Affects: Any company that sells products or services to or targets and monitors individuals in the European Union. This law may impact businesses (and employers) around the world, as it relates to any companies marketing to or dealing with European citizens, not just organizations located in the EU. So, even if you’re not in Europe, you may want to read up on GDPR. 

Unlike the CCPA, the GDPR does not factor in the size of a company or if the information will be sold or not. Anyone selling to, targeting, or monitoring individuals in the EU will need to follow this law. 

Read the full General Data Protection Regulation (GDPR) here.


Children’s Internet Protection Act (CIPA)

Start Date: 2000

What is it: “The Children's Internet Protection Act (CIPA) was enacted by Congress in 2000 to address concerns about children's access to obscene or harmful content over the Internet.... In early 2001, the FCC issued rules implementing CIPA and provided updates to those rules in 2011.”

Who it affects: CIPA primarily impacts particular schools and libraries that receive discounts for Internet access or internal connections through an E-rate program, but it also impacts any company with products that would be used by minors.  

While this data privacy law may or may not apply to your organization specifically, it’s definitely a big one to be aware of. 

Read the full Children’s Internet Protection Act (CIPA) here.


Consider working with your legal teams, your IT teams, your corporate marketing teams, and any outside partners (i.e. your careers site platform, your talent pool partner, your ATS, your recruitment marketing agency, etc.) to determine what steps you may need to take, if any, when working with PII (personally identifiable information) or sensitive data for your candidates and employees. 

In honor of Data Privacy Day today, we hope that you and your talent acquisition teams take the time to become #PrivacyAware for the protection of your candidates and employees! 


Subscribe to newsletter


Find Out How We Can Become an Extension of Your Talent Acquisition Team