Scope of California Law
As a global service provider, LifeWorks Inc., along with its subsidiaries and affiliates (“LifeWorks”), is committed to protecting the personal information of its clients and the users of its services, in accordance with all applicable federal, state and local laws. On January 1, 2020, the State of California put into effect the California Consumer Privacy Act (“CCPA”), followed by the California Privacy Rights Act (“CPRA”) in November 2020. These laws provide California residents with rights of control over their personal information by putting restrictions on how a company may “use” that data.
Businesses
The CCPA establishes several rights for California residents, such as the “right to know”, the “right to delete” and the “right to opt-out”. These rights impose requirements on a “business” that collects personal information and determine the “purposes and means” of permitted processing of any personal information collected.
However, businesses may also engage “service providers” to collect and process personal information on their behalf. In order for an organization to be a service provider, they must have a written contract in place that describes the approved uses of personal information, and that limits them to those uses that are necessary for fulfilling the obligations of the contract with the business.
Service Providers
Since LifeWorks engages with consumers in providing services to employers, insurance companies, schools, and other organizations, and has contractual language with those organizations limiting what we can do with consumer personal information, LifeWorks fits within the “service provider” role, as defined under the CCPA.
As a “service provider”, LifeWorks is not a “business” responsible for meeting the consumer rights identified in the CCPA. These obligations rest with the LifeWorks client as the “business”.
LifeWorks can support our “business” clients in assisting with their CCPA obligations when it comes to providing notice by directing clients to our privacy policy on the Internet and helping them understand how we work with personal information. In this way, our clients can include consistent language in any privacy notice they draft that could apply to circumstances where LifeWorks collects and uses consumers’ personal information. Although there may be instances in which we are not able to comply with a request, our clients may direct us to delete or rectify any personal information on behalf of individuals exercising their rights with the client.
HIPAA
Some of LifeWorks business units operate as Covered Entities under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including those offering Employee Assistance Programs and iCBT services. The CCPA excludes any Protected Health Information (“PHI”) held by Covered Entities and therefore, for these business units, HIPAA governs our conduct with respect to any PHI involved.
LifeWorks understands that an individual’s rights around the control of their personal information is also a trust issue, rather than just a legal one. To that end, we are continuing to review and evolve our data handling practices to be respectful of the interests of our clients’ employees and the employees of any prospective partners with whom we may be evaluating a business relationship.
For more information about LifeWorks privacy compliance efforts, please contact us by email at privacy-vieprivee@lifeworks.com or review our Privacy Policy at https://lifeworks.com/en/privacy-policy.