With the holidays upon us, companies are assessing year-end to-do’s and considering what 2023 will bring. For companies employing California residents, compliance with the new California Privacy Rights Act (CPRA) should be at the top of their list. Indeed, to date, companies that employed California residents had a reprieve from the consumer-facing rules and requirements of the California Consumer Privacy Act (CCPA). The CCPA, which is, essentially, a data privacy “bill of rights” for Californians, even impacted many companies based outside of California but only as to their consumer-side relationships.
However, as of January 1, 2023, this exemption for your disclosures and extending of rights to your California employees will disappear, with the enactment of the CPRA, which amends the CCPA. As of the first of next year, the broad definition of “personal information” that has applied to “consumers” will now include employees, job applicants, officers, directors, and independent contractors.
This means California employers will need to provide these “consumers” with a privacy notice explaining the type of data collected and the purposes behind the collection. This translates into an update of your California privacy notice (if you had one for other consumers) or a new disclosure to provide California employees with not only an explanation of the type of data collected and the reason for the collection, but also a description of how employees can submit requests under their privacy rights.
Specifically, employers of Californians will need to make available to their employees, applicants and independent contractors:
- a right to know about the information collected about them;
- a right to delete personal information collected from them (subject to exceptions);
- a right to opt-out of sale or sharing of that data;
- a right to opt-out of automated decision-making technology (if applicable);
- a right to correct inaccurate personal information; and,
- a right to limit the use and disclosure of sensitive personal information, a right that also comes with some limitations.
These rights are not a blanket set of rights to be exercised by employees. For instance, under CPRA, employees have the right to know about the personal information collected about them; but many employers already had certain processes in place under the California Labor Code, whereby employees had the right to know about certain information that an employer has collected, such as payroll records (Cal. Labor Code § 226), signed documents (Labor Code § 432), and personnel files (Labor Code § 1198.5). And, with a “right to delete,” employers will need to assess federal, state, and local retention requirements when responding since a deletion request may be properly refused given the retention requirements of the Americans with Disabilities Act, Family Medical Leave Act, Age Discrimination in Employment Act, and Fair Labor Standards Act.
Notably, the CPRA creates two new rights: a right to correct personal information that is inaccurate and a right to limit use and disclosure of “sensitive personal information.” Sensitive Personal Information includes (1) precise geolocation data, (2) racial or ethnic origin, (3) union membership, (4) the contents of certain employee email and text messages, and (5) biometric information. However, this right to limit the use and disclosure only applies to use of Sensitive Personal Information other than what would be “reasonably expected by an average” consumer/employee. So, collection of certain information by an employer, such as racial or ethnic origin, for diversity and inclusion purposes may therefore be excepted.
There are also timing requirements on responding to these requests and exercising of rights, and there needs to be specific ways in which the employee can make these requests. With the dawning of this new set of rights for California employees, companies subject to the CPRA should review the employee and applicant personal information collected to ensure an accurate and complete description of the categories of personal information collected, used, and disclosed. In addition, under CPRA companies have specific requirements for their representations and warranties in their contracts with third-parties.
CPRA requirements may be confusing and challenging, especially for companies that, to date, have enjoyed the exemption for disclosures and rights extended to employees (under the CCPA). However, getting this policy and practice in place can be a doable task with just some straightforward questions, data mapping and updating of disclosures. A trusted data privacy advisor can help ensure your policy and practice complies.