This is the fifth in a series of articles about the implications of the California Privacy Rights Act for employers.
The California Privacy Rights Act (CPRA), which goes into effect January 1, 2023, will impose specific notice obligations on the part of the employer. In a previous article, we covered the first type of notice required under the CPRA, the notice at collection, which explains how the employer will collect, use, and retain personal information collected by the company. This article focuses on the second type of notice required under the CPRA, which is a privacy policy that must be posted online or on the employer’s internet website.
Employers familiar with the CPRA’s predecessor, the California Consumer Privacy Act (CCPA), likely know that the CCPA exempts the data of employees, applicants, independent contractors, dependents, and other individuals in their HR capacity (collectively, “HR Individuals”) from most of its requirements. As such, other than providing a notice at collection and implementing adequate safeguards to reduce the risk of statutory damages for lapses in information security, the remaining obligations under the CCPA do not apply to HR data. The CPRA, however, sunsets the exemption for HR data and introduces new requirements for the handling of personal information, which includes the distribution of a privacy policy.
Content of the Online Privacy Policy
Required Content
The privacy policy must disclose the following:
- the categories of personal information collected by the employer during the preceding 12 months;
- the categories of sources from which the personal information is collected;
- the business or commercial purposes for collecting, selling, or sharing that personal information;
- the categories of third parties to which personal information is disclosed;
- the categories of personal information sold or shared for purposes of cross-context behavioral advertising in the preceding 12 months;
- the categories of personal information disclosed for a business purpose in the preceding 12 months; and
- the individual’s CPRA rights and how to exercise those rights, which includes, at a minimum, a toll-free telephone number and at least one other method for submitting rights requests.1
For more discussion of HR Individuals’ rights, please refer to our previous articles explaining the data rights that HR Individuals can exercise under the CPRA.2
Comparison With the Notice at Collection
At first glance, the information required in the online privacy policy may seem a lot like that required in the notice at collection. Indeed, there is substantial overlap. Both the notice at collection and the privacy policy must disclose the categories of personal information collected as well as the purposes for which the information is collected. But there are also key distinctions between the two forms of notices.3
To begin, the notice at collection is prospective, whereas the online privacy policy is retrospective, providing information about the employer’s information-handling practices during the 12 months preceding the policy’s effective date.4 In addition, unlike the notice at collection, which potentially may cover only the personal information being collected at the time of the notice, the privacy policy must be comprehensive, covering all data handling across the organization in the past 12 months. Practically speaking, this means that the CPRA privacy policy published on January 1, 2023 must cover data-handling starting January 1, 2022. Therefore, employers should start tracking now how they processed personal information beginning on January 1, 2022.
In one way, however, the privacy policy is not as comprehensive as the notice at collection. Unlike the notice at collection, the privacy policy need not include information about data retention.
Options to Opt Out
Further, while the notice at collection need only disclose whether personal information collected is sold or shared, the privacy policy must disclose the specific categories of personal information that are sold or shared in the preceding 12 months. As we explained in our previous articles, however, most employers’ data handling practices do not qualify as a “sale” or “sharing” of HR data, as those terms are defined under the CPRA. That is, most employers do not transfer HR data to third parties in exchange for monetary or other valuable consideration.5 Nor do most employers disclose personal information to third parties for cross-context behavioral advertising.6
For those employers that neither sell nor share HR data, their privacy policy should include a prominent statement disclosing that they have not sold or shared personal information in the preceding 12 months. For employers that do sell or share HR data, the privacy policy should include a link to the web page where the individual may opt out of these sales and sharing.7
Finally, if the employer infers characteristics from sensitive personal information and uses or discloses that information for purposes beyond a limited set of operational purposes specified by the CPRA, then the privacy policy must include a notice and give individuals the option to opt out of use or disclosure for those purposes.8 Like “sales” and “sharing,” the right to limit the use and disclosure of sensitive personal information will apply only very rarely in the employment context because employers typically do not infer characteristics from that information.
Distributing the Privacy Policy
Posting “Online”
The statute requires that the privacy policy be posted: (a) in the company’s online privacy policy and in any California-specific description of individuals’ privacy rights; or (b) on its internet website.9 The CPRA does not define what it means to post the privacy policy “online.” Therefore, in the absence of specific guidance to the contrary when the CPRA regulations issue, “online” reasonably could be interpreted to mean an employer’s intranet so long as HR individuals can access the privacy policy. Because applicants would not have access to a company’s intranet, employers that use this approach likely would need to consider posting a separate privacy policy for applicants on their career website.
Combining With the Notice at Collection
In addition, many employers can combine the notice at collection and privacy policy into one document. The overlapping disclosures in each document will be substantially identical, particularly if the company’s prospective and retrospective handling of personal information is largely the same. Most likely, California regulatory authorities will not object to combining the documents because the CCPA regulations specifically allowed the notice at collection to be included within a privacy policy. Publication of final CPRA regulations later this year may provide further insight on this issue.
Combining With Other Privacy Policies
Relatedly, many employers may wish to include the CPRA privacy policy / notice at collection in an existing privacy policy covering HR data. Employers may have implemented these existing privacy policies to comply with other data protection laws, such as the European Union’s General Data Protection Regulation, or just for the sake of transparency. In that case, the CPRA privacy policy often can be incorporated into a more global privacy policy. For example, the factual sections about how data is handled could apply to individuals across multiple jurisdictions, whereas the description of California privacy rights could be covered in a section specific to California residents.
Updating the Privacy Policy
Finally, the CPRA requires the privacy policy to be updated “at least once every 12 months.”10 Because the privacy policy represents the company’s data handling practices, employers should consider taking steps to update it for accuracy whenever there is a material change in how they handle California residents’ personal information. In addition, companies may choose to schedule an annual review of their privacy policy to ensure that no material changes are missed.
Steps for Drafting the Privacy Policy
Given the amount of information that must be disclosed in a CPRA-compliant privacy policy, employers should strategize their compliance efforts well in advance of the January 1, 2023 effective date. We recommend considering proactive measures, such as the following steps:
1. Perform Data Mapping: The first step often is to map relevant HR data. That is, employers should determine what categories of personal information they collect from HR Individuals, the sources of collection, the third parties to whom employee personal data is disclosed, and the purposes for which such information is collected. This assessment likely will require coordination among multiple departments, stakeholders, and custodians to account accurately for the company’s information-handling practices.
2. Determine How to Separate or Combine Privacy Policies: Employers should evaluate the extent to which they intend to create separate privacy policies for different populations or combine the privacy policy with other documents. For example, the employer might combine the CPRA privacy policy for applicants with an existing privacy policy on the applicant website, but draft a separate CPRA privacy policy for current workers to post on its intranet. The employer might post yet another CPRA privacy policy for dependents, beneficiaries, and spouses on its benefits portal.
3. Draft Privacy Policies With Employment Risks in Mind: In drafting the privacy policy, employers should be careful not to inadvertently create risks under other laws relevant to the employment context. For example, lumping descriptions of how the company handles the personal information of employees and independent contractors potentially could increase the risk of misclassification lawsuits. As a result, employment counsel should be closely involved in the drafting process.
4. Establish Regular Reviews: To ensure continued accuracy of the privacy policy, employers should consider establishing regular review processes.
Footnotes
1 See Cal. Civ. Code § 1798.130(a)(5).