ECHO Incorporated Privacy Notice for California Employees and Residents


Last Reviewed: June 5, 2023

This Privacy Notice for California Employees and Applicants supplements the information contained in ECHO Incorporated’s (“ECHO”, “we”, “our”, “us”) Online Privacy Policy (located at https://www.echo-usa.com/privacy-policy) and applies solely to all ECHO employees, job applicants, contractors, or similar individuals who reside in the State of California ("workforce members" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA), as amended (collectively, “CPRA”) and any terms defined in the CPRA have the same meanings when used in this notice.

 California Notice at Collection for Employees and Applicants

ECHO Incorporated (“ECHO”, “we”) collects and uses Personal Information for human resources, employment, benefits administration, health and safety, and business-related purposes and to be in legal compliance. Below are the categories of Personal Information we collect and the purposes for which we intend to use this information. 

We will not sell the Personal Information we collect. We also will not share it with third parties for cross-context behavioral advertising.

To view our full Online Privacy Policy visit https://www.echo-usa.com/privacy-policy.  

Category

Examples

Collected

A. Identifiers.

Identifying information, such as your full name, gender (if provided), date of birth, and signature.

YES

B. Demographic Data.

Demographic data, such as disability, and veteran or military status (if provided).

YES

(If shared by applicant)

C. Contact Information.

Contact information, such as your home address, telephone numbers, email addresses, and emergency contact information.

YES

D. Dependent’s or other individuals’ information.

Dependent's or other individual's information, such as their full name, address, date of birth, and Social Security numbers (SSN). (after employment and only with benefits.)

YES (after hire)

E. National Identifiers.

National identifiers, such as SSN, passport and visa information, and immigration status and documentation.

YES (after hire)

F. Educational and professional background.

Educational and professional background, such as your work history, academic and professional qualifications, educational records, references, and interview notes.

YES

G. Employment Details.

Employment details, such as your job title, position, hire dates, compensation, performance and disciplinary records, and vacation and sick leave records.

YES

H. Financial Information.

Financial information, such as banking details, tax information, payroll information, and withholdings.

YES

I. Health and Safety Information.

Health and Safety information, such as health conditions (if relevant to your employment), job restrictions, workplace illness and injury information, and health insurance policy information.

YES

J. Information Systems Information.

Information Systems (IS) information, such as your search history, browsing history, login information, and IP addresses on ECHO’s information systems and networks.

YES

K. Biometric Information.

 

 

NO

L. Geolocation Data. 

Geolocation data, such as time and physical location related to use of an internet website, application, device, or physical access to an ECHO office location.

YES (when using VPN connection into ECHO)

M. Sensory Information.

Sensory or surveillance information, such as COVID-19 related temperature checks and call monitoring and video surveillance.

YES

N. Sensitive Personal Information.

1. Government identifiers (social security, driver's license, state identification card, or passport number).

YES

2. Complete account access credentials (user names, account numbers, combined with required access/security code or password).

YES

3. Racial or ethnic origin (Optional at application).

YES (if shared by applicant.)

 

ECHO collects Personal Information to use or disclose as appropriate to:

  • Comply with all applicable laws and regulations.
  • Recruit and evaluate job applicants and candidates for employment.
  • Conduct background checks.
  • Manage your employment relationship with us, including for:
    • onboarding processes;
    • timekeeping, payroll, and expense report administration;
    • employee benefits administration;
    • employee training and development requirements;
    • the creation, maintenance, and security of your online employee accounts;
    • reaching your emergency contacts when needed, such as when you are not reachable or are injured or ill;
    • workers' compensation claims management;
    • employee job performance, including goals and performance reviews, promotions, discipline, and termination; and
    • other human resources purposes.
  • Manage and monitor employee access to company facilities, equipment, and systems.
  • Conduct internal audits and workplace investigations.
  • Investigate and enforce compliance with and potential breaches of ECHO policies and procedures.
  • Engage in corporate transactions requiring review of employee records, such as for evaluating potential mergers and acquisitions of ECHO.
  • Maintain commercial insurance policies and coverages, including for workers' compensation and other liability insurance.
  • Perform workforce analytics, data analytics, and benchmarking.
  • Administer and maintain ECHO’s operations, including for safety purposes.
  • For client marketing purposes.
  • Exercise or defend the legal rights of ECHO and its employees, affiliates, customers, contractors, and agents. 

 

ECHO will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Purposes for the Collection and Use of Sensitive Personal Information 

We may use Sensitive Personal Information for purposes of performing services for our business, providing services as requested by you, and ensuring the security and integrity of our business, infrastructure, and the individuals we interact with.  This includes, without limitation, establishing and maintaining your employment relationship with us, ensuring the diversity of our workforce, complying with legal obligations, managing payroll and corporate credit card use, administering and providing benefits, securing the access to, and use of, our facilities, equipment, systems, networks, applications, and infrastructure, receiving and processing your job application, evaluating your suitability for the position(s) you are applying for, conducting background checks, making you an offer (subject to our discretion), fulfilling administrative functions, complying with law, legal process, or requests from governmental or regulatory authorities, and exercising or defending legal claims.

 

Retention Period

We retain Personal Information including, without limitation, Sensitive Personal Information, for as long as needed or permitted in light of the purpose(s) for which it was collected.  The criteria used to determine our retention periods include:  

  • The duration of your employment;
  • The length of time we have an ongoing relationship with you or your dependents/beneficiaries and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise; 
  • The duration of the job application process;
  • Whether your job application is successful and you become an employee;
  • Whether, if your application is not successful, you would like to be notified of future job opportunities with us or our affiliates;
  • The length of time we have an ongoing relationship with you and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise; 
  • Whether there is a legal obligation to which we are subject (for example, certain laws may require us to keep your employment records for a certain period of time); and 
  • Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

 

Information We Collect

ECHO Incorporated (“ECHO”, “we”) collect and use Personal Information for human resources, employment, benefits administration, health and safety, and business-related purposes and to be in legal compliance. Below are the categories of Personal Information we have collected from workforce members within the last twelve (12) months.

 

Category

Examples

Collected

A. Identifiers.

Identifying information, such as your full name, gender (if provided), date of birth, and signature.

YES

B. Demographic Data.

Demographic data, such as disability, and veteran or military status (if provided).

YES (if shared by applicant)

C. Contact Information.

Contact information, such as your home address, telephone numbers, email addresses, and emergency contact information.

YES

D. Dependent’s or other individuals’ information.

Dependent's or other individual's information, such as their full name, address, date of birth, and Social Security numbers (SSN) (after employment and only with benefits).

YES (after hire)

E. National Identifiers.

National identifiers, such as SSN, passport and visa information, and immigration status and documentation.

YES (after hire)

F. Educational and professional background.

Educational and professional background, such as your work history, academic and professional qualifications, educational records, references, and interview notes.

YES

G. Employment Details.

Employment details, such as your job title, position, hire dates, compensation, performance and disciplinary records, and vacation and sick leave records.

YES

H. Financial Information.

Financial information, such as banking details, tax information, payroll information, and withholdings.

YES

I. Health and Safety Information.

Health and Safety information, such as health conditions (if relevant to your employment), job restrictions, workplace illness and injury information, and health insurance policy information.

YES

J. Information Systems Information.

Information Systems (IS) information, such as your search history, browsing history, login information, and IP addresses on ECHO’s information systems and networks.

YES

K. Biometric Information.

 

NO

L. Geolocation Data.

Geolocation data, such as time and physical location related to use of an internet website, application, device, or physical access to an ECHO office location.

YES (when using VPN connection into ECHO)

M. Sensory Information.

Sensory or surveillance information, such as COVID-19 related temperature checks and call monitoring and video surveillance.

YES

N. Sensitive Personal Information.

1. Government identifiers (social security, driver's license, state identification card, or passport number).

YES

2. Complete account access credentials (user names, account numbers, combined with required access/security code or password).

YES

3. Racial or ethnic origin (if provided).

YES (if shared by applicant)

 

Personal Information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated workforce member information.
  • Information excluded from the CPRA's scope, like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

ECHO obtains the categories of Personal Information listed above from the following categories of sources:

  • Directly from you. For example, from forms you complete.
  • Indirectly from you. For example, from our service providers and observing your actions on our company information systems.

Use of Personal Information

ECHO collects Personal Information to use or disclose as appropriate to:

  • Comply with all applicable laws and regulations.
  • Recruit and evaluate job applicants and candidates for employment.
  • Conduct background checks.
  • Manage your employment relationship with us, including for:
    • onboarding processes;
    • timekeeping, payroll, and expense report administration;
    • employee benefits administration;
    • employee training and development requirements;
    • the creation, maintenance, and security of your online employee accounts;
    • reaching your emergency contacts when needed, such as when you are not reachable or are injured or ill;
    • workers' compensation claims management;
    • employee job performance, including goals and performance reviews, promotions, discipline, and termination; and
    • other human resources purposes.
  • Manage and monitor employee access to company facilities, equipment, and systems.
  • Conduct internal audits and workplace investigations.
  • Investigate and enforce compliance with and potential breaches of ECHO policies and procedures.
  • Engage in corporate transactions requiring review of employee records, such as for evaluating potential mergers and acquisitions of ECHO.
  • Maintain commercial insurance policies and coverages, including for workers' compensation and other liability insurance.
  • Perform workforce analytics, data analytics, and benchmarking.
  • Administer and maintain ECHO’s operations, including for safety purposes.
  • For client marketing purposes.
  • Exercise or defend the legal rights of ECHO and its employees, affiliates, customers, contractors, and agents. 

ECHO will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Purposes for the Collection and Use of Sensitive Personal Information 

We may use Sensitive Personal Information for purposes of performing services for our business, providing services as requested by you, and ensuring the security and integrity of our business, infrastructure, and the individuals we interact with.  This includes, without limitation, establishing and maintaining your employment relationship with us, ensuring the diversity of our workforce, complying with legal obligations, managing payroll and corporate credit card use, administering and providing benefits, securing the access to, and use of, our facilities, equipment, systems, networks, applications, and infrastructure, receiving and processing your job application, evaluating your suitability for the position(s) you are applying for, conducting background checks, making you an offer (subject to our discretion), fulfilling administrative functions, complying with law, legal process, or requests from governmental or regulatory authorities, and exercising or defending legal claims.

 

Retention Period

We retain Personal Information including, without limitation, Sensitive Personal Information, for as long as needed or permitted in light of the purpose(s) for which it was collected.  The criteria used to determine our retention periods include:  

  • The duration of your employment;
  • The length of time we have an ongoing relationship with you or your dependents/beneficiaries and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise; 
  • The duration of the job application process;
  • Whether your job application is successful and you become an employee;
  • Whether, if your application is not successful, you would like to be notified of future job opportunities with us or our affiliates;
  • The length of time we have an ongoing relationship with you and the length of time thereafter during which we may have a legitimate need to reference your Personal Information to address issues that may arise; 
  • Whether there is a legal obligation to which we are subject (for example, certain laws may require us to keep your employment records for a certain period of time); and 
  • Whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

Disclosing Personal Information

ECHO may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract.

We disclose your Personal Information to the following categories of third parties:

  • ECHO affiliates.
  • Service providers (including, but not limited to, attorneys, accountants, IT service providers, payroll processors and benefits providers).
  • Government entities (for employment-related matters such as work authorizations, I-9 forms, payroll and tax withholding).

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, ECHO has disclosed the following categories of Personal Information for a business purpose:

Category A: Identifiers.

Category B: Demographic Data.

Category C: Contact Information.

Category D: Dependent’s or other individuals’ information.

Category E: National Identifiers.

Category G: Employment Details.

Category H: Financial Information.

Category I: Health and Safety Information.

Category N: Sensitive Personal Information.

We disclose your personal information for a business purpose to the following categories of third parties:

  • ECHO affiliates.
  • Service providers (including, but not limited to, attorneys, accountants, IT service providers, payroll processors and benefits providers).
  • Government entities (for employment-related matters such as work authorizations, I-9 forms, payroll and tax withholding).

Sales or Sharing of Personal Information 

In the preceding twelve (12) months, ECHO has not sold Personal Information nor has ECHO shared Personal Information for cross-context behavioral advertising purposes.

Your Rights and Choices 

The CPRA provides workforce members (California residents) with specific rights regarding their Personal Information. This section describes your CPRA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that ECHO disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable request (see Exercising Access, Data Portability, Deletion and Correction Rights), we will disclose to you:

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of third parties with whom we share that Personal Information.
  • The specific pieces of Personal Information we collected about you (also called a data portability request).
  • If we sold or disclosed your Personal Information for a business purpose, two separate lists disclosing:
    • sales, identifying the Personal Information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.

Deletion Request Rights 

You have the right to request that ECHO delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request (see Exercising Access, Data Portability, Deletion and Correction Rights), we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request for the following reasons:

  1. That the Personal Information is needed for employment purposes, such as for payroll, government data reporting, and health care.
  2. Performing a contract between ECHO and you (workforce member), such as to award stock options or pension benefits.
  3. Retaining Personal Information contained in security logs to satisfy compliance requirements and litigation demands.
  4. Complying with other laws applicable to our business, such as needing to retain certain employment records for the required data retention period.
  5. That deleting the information prevents us from exercising our legal rights, such as needing to retain the information to defend against possible legal claims.
  6. Any other permitted business justification for retaining the Personal Information exists.

 

Right to Correct

You have the right to request ECHO to correct inaccurate Personal Information collected about you. ECHO will make commercially reasonable efforts to correct any inaccurate Personal Information we hold about a workforce member within 45 days of receiving a verifiable request. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

Right to Opt-Out of Personal Information Sales and Sharing

You have the right to direct us to not sell or share your Personal Information for cross-context behavioral advertising purposes at any time (the "right to opt-out"). Please note that we do not currently engage in sales or sharing of Personal Information triggering such opt-out requirements. 

Right to Limit Disclosure or Use of Sensitive Personal Information

You have the right to limit the disclosure or use of your Sensitive Personal Information that has been collected or processed with the purpose of inferring characteristics about you. Please note that we do not currently collect or use Sensitive Personal Information to infer characteristics about workforce members triggering such limitation rights. 

Exercising Access, Data Portability, Deletion and Correction Rights

To exercise the access, data portability, deletion and correction rights described above, please submit a verifiable request to us by either:

  • Calling us at 1-800-432-3246.
  • Emailing us at hr@echo-usa.com.

Only you, or someone legally authorized to act on your behalf, may make a verifiable request related to your Personal Information. To designate an authorized agent, you must first verify your identity directly with us and provide written authorization to your agent to make requests on your behalf.

You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include:
    • Your name, address, and any other information we may require to verify your identity.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

Response Timing and Format

We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the verifiable request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically .csv format.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Retaliation/Non-Discrimination

We will not retaliate or discriminate against you for exercising any of your CPRA rights.

Changes to Our CA Employee/Applicant Privacy Notice

ECHO reserves the right to amend this California employee/applicant privacy notice at our discretion and at any time. When we make changes to this California employee/applicant privacy notice, we will post the updated notice on the company Intranet, Ulti Pro website, and Rocklin physical location, and update the notice's effective date.

Contact Information

If you have any questions or comments about this notice, the ways in which ECHO collects and uses your Personal Information described in this California employee/applicant privacy notice and/or the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: 1-800-432-3246

Email: hr@echo-usa.com