CPRA: Employees and the New California Privacy Law

Data Privacy

California has been setting the stage for new comprehensive privacy laws and requirements in the US. This started with the groundbreaking California Consumer Privacy Act (“CCPA”) that provided California consumers with several privacy data rights. California has become a trendsetter by being the first (and so far only) state to provide employees with a number of privacy rights.

“California consumers” was also meant to include employees; after two years the law went into effect, but with the passing of the California Privacy Rights Act (“CPRA”), which significantly amended and expanded the requirements of the CCPA – the employee rights provision will now be going into effect on January 1, 2023.

The California Privacy Protection Agency (CPPA) is still holding informational sessions on the CPRA, and formal rules are not expected until later this year. As a result, businesses would have limited time to implement any new rules. With so much uncertainty in the air, Businesses should take practical steps to achieve compliance with the stated employee provisions of the CPRA.

Who is an employee?

In the context of CPRA, the employee requirements include California residents in their roles as full/part time employees, applicants, independent contractors, and other work related roles (“Employees”). As many businesses have increasingly offered remote working options during/since the pandemic, they need to determine which employees would be subject to the CPRA.

The [Employee] Right to Privacy

The most novel aspect of the California law is the privacy rights granted to consumers will also be extended to employees. These include:

  • The right to know
  • The right to correct inaccurate information
  • The right to delete personal information held by the business – or by the business’ third party on the business’ behalf
  • The right to opt-out of the sale or sharing of data
  • The right to limit the use and disclosure of employee sensitive personal information
  • And, importantly, the right to not to be retaliated against for exercising these rights.

One of the most significant undertakings will be assessing and responding to Employees’ rights requests quickly by fulfilling the request or determining whether an applicable exception applies. Businesses will need to develop a detailed process to govern employee rights requests so that they are verified, accepted or denied in part or in full, and responded to in a timely manner.

Some of the rights may be fulfilled under a self-service model. For instance, many businesses already have the ability for employees to update/correct information that the company already has about them. In other cases, some of the Employee rights might not apply to the Employee population at all. For instance, if a business is not “selling” data with any vendors, then there is no obligation to provide a right to opt-out of the sale of data.

In addition, there will likely be statutory exceptions that business can rely on – since the Employee privacy rights are not meant to impact a business’s legitimate need to continue to process and retain certain personal information of employees. For example, an employee’s request to delete personal information is not absolute, as an employer may retain personal information such as name, address and banking information as this information is necessary to fulfill an existing employment contract.

Consumers ≠ Employees

Existing CCPA rights for California consumers may not apply in the same ways in the employment context. A good example from Baker Holister is CPRA’s right to limit use and disclosure of Sensitive Personal Information (“SPI”). Based on the plain reading of the statute, this right only applies to data collected with the “purpose of inferring characteristics.” §1798.121(a). Businesses generally do not collect SPI with the purpose of inferring characteristics of their employees; rather, in the employment context, SPI would typically be processed in order to fulfill HR related responsibilities, such as processing payrolls and benefits. CPRA permits treating information not collected with the purposes of inferring characteristics as “personal information” for all sections of CPRA. Unless future regulations state otherwise, this reduces the burden on the business, as it may not be necessary to include the right to limit the use and disclosure of SPI in the CPRA requests process.

All of America or California Only:

While many businesses are now offering consumer rights regardless of where the consumer is located, businesses are mixed regarding where the employee rights should be limited only to California-based Employees. Non-California states may eventually pass privacy laws with specific requirements applying to their resident employees. In addition, there is a risk of misuse of the CPRA rights by Employees to obtain discovery information that could be used in a legal action against the business. This has been a consistent issue within the context of GDPR – and something US based businesses need to be mindful of.

4 Steps Towards Compliance:

1. Do a Data Mapping Exercise: Businesses should conduct a data mapping of their HR systems to determine what personal information they collect about their Employees, why this information is collected and how this information is potentially shared with third parties. This foundational step will enable businesses to understand what should and should not be provided in a Data Rights request.

2. Employee Data Storage: As part of the data mapping exercise, Businesses will need to consider how they manage and store Employee data – as this is usually handled separately from customer management systems. Most companies store and manage consumer and Employee data in entirely separate systems, and different departments are responsible for managing each type of data.

3. Review Employee Notices: The CPRA requires businesses to provide a notice to Employees regarding the data collected by the business and how the information is used. Although no model notice has been provided under the CCPA or CPRA, the notice must describe “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” The privacy notice must be given to employees “at or before the point of collection” and provide a copy of, or link to, the business’ privacy policy. While much of this can be covered during the employee-onboarding exercise, Business teams will need to create standard operating procedures to determine when these sort of notices should be given, as each new material use of data may require a new notice for Employees.

4. Security Measures: As with consumer data, CPRA requires businesses to safeguard Employee data. As with consumer Businesses should also know that California residents can seek to recover statutory damages ranging from $100-750 if sensitive personal information is breached.

How BigID Helps with CPRA Employee Data (b2e)

BigID helps organizations adjust to the specific amendments to CCPA. Leverage BigID to achieve full compliance with CPRA by using our self-service portal and automated DSAR fulfillment for CPRA compliance. With BigID, organizations can: