The California Privacy Rights Act ("CPRA") expands employers' obligations with respect to the privacy of human resources ("HR") data more dramatically than any other legislation in U.S. history.1 Although clearly drafted with the primary goal of protecting California consumers, the CPRA also extends its protections to California residents in their roles as employees, applicants, independent contractors, and other work-related roles ("HR Individuals"). When the CPRA goes into effect on January 1, 2023, covered employers will be required to provide HR Individuals with extensive privacy notices, respond to requests to exercise new data rights, limit uses and disclosures of HR data, and obtain detailed contractual commitments from third-party recipients of personal information.2
The most novel aspect of the CPRA for employers will be the data rights that the CPRA grants California residents. Like California residents in their capacity as consumers, HR Individuals will enjoy six data rights. These include the rights to know, correct, and delete their personal information held by an employer, or by the employer's vendor on the employer's behalf. HR Individuals will also gain the rights to opt out of the sale or sharing of their personal information by their employer and employer's vendors and to restrict the use of their sensitive personal information. Finally, the CPRA provides HR Individuals with the right not to be retaliated against for exercising these rights.
This article discusses how the first three of these six rights - the rights to know, correct, and delete - apply to employers. The article also covers procedural requirements to respond to requests and obligations of service providers to assist in responding to rights requests. The discussion ends with practical recommendations on preparing for these three data rights. The next article in this series will discuss these issues in the context of the remaining three rights.
The analysis in this article is based on the CPRA's text only. The CPRA sets a deadline of July 1, 2022, for the publication of final regulations. These regulations could necessitate modification of this analysis.
Why Compliance with the California Consumer Privacy Act Does Not Prepare Employers for the CPRA's Data Rights
Although covered businesses have been required to comply with the CPRA's predecessor law, the California Consumer Privacy Act ("CCPA"), since January 1, 2020, employers still have a long road to meet the requirements of the CPRA's data rights. The CCPA granted data rights to California residents, but it provided these rights to California residents in their capacity as consumers only. The CCPA explicitly exempted HR Individuals from these rights.
Many companies, therefore, have already implemented policies and procedures to comply with the CCPA's data rights for consumers. These policies and procedures, however, will need modifications to apply to HR data requests. Most companies store and manage consumer and HR data in entirely separate systems, and different departments are responsible for managing each type of data. Also, due to the distinct laws and risks that apply to the two sets of data, businesses will reject requests to exercise consumer data rights and HR data rights based on different exceptions within the CPRA. Finally, the CPRA creates new rights for all California residents beyond those granted by the CCPA. Specifically, the rights to correct, to opt out of sharing, and to restrict processing of sensitive personal information do not appear in the CCPA at all, either for consumers or HR Individuals. Therefore, even if a company could adopt much of its CCPA consumer compliance process for HR data, it still must prepare to accommodate these new rights.
The Scope of the Data Rights and Key Exceptions for Employers
The key to understanding the impact of the data rights on employers is to understand how the CPRA defines and limits each right. Due to definitional limits and explicit exceptions, the rights to correct and delete will be comparatively far less burdensome to employers than the right to know.
The Right to Delete
At first glance, the right to delete personal information held by the employer might seem the most burdensome. In practice, however, employers may be obliged only rarely to comply with requests to delete.
First, the right to delete applies to personal information only "collected from" the individual.3 This appears to mean that the CPRA exempts from the right to delete a wide array of personal information that the employer creates about the HR Individual or receives from other sources, rather than receiving from the HR Individual. Such exempted personal information might include, for example, results of reference checks, performance evaluations, shift schedules, complaints and related investigation reports, and communications discussing the individual.
Second, an employer may refuse a request to delete as necessary to comply with other laws applicable to the employer.4 In particular, due to the dozens of laws requiring employers to retain HR records, much of the information collected from the HR Individual would be protected from a request to delete at least for the duration of the data retention period. Third, the organization can refuse a request to delete if deleting the data would prevent the business from exercising or defending legal claims.5 Given the frequency of employment-related disputes, employers can reasonably refuse to delete a substantial amount of data provided by HR Individuals in order to defend itself against possible legal claims.
The CPRA also provides more than a dozen other exceptions to the right to delete that might apply depending on specific circumstances. The three limitations described above, however, should provide grounds for most employers to reject the majority of requests.
The Right to Correct
Under the right to correct, the HR Individual can demand that the employer correct inaccurate personal information.6 A key limitation to this right is the limit based on the type of information. The CPRA only requires correction of "inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information."7 In effect, the CPRA appears to acknowledge the subjectivity and materiality of accuracy depending on the context.
Regarding subjectivity, HR Individuals should have the right to correct only objectively false information. For example, the CPRA clearly gives employees the right to have the employer correct their personal address if an employee has moved. Conversely, the HR Individual should not have the right to demand that a supervisor change a subjective opinion expressed in an employee's evaluation, e.g., "most difficult supervisee in my experience."
With respect to materiality, not all inaccurate information merits correction. To return to the example of the incorrect personal address, the CPRA plainly obligates the employer to correct the employee's personal address in the human resources information system. In that case, an inaccurate personal address could result in erroneous payroll deductions, incorrect leave calculations, and other material mistakes. However, the repetition of this inaccurate address in old documents need not be corrected, at least to the extent that the company would not rely on them for the correct address. For example, it seems unlikely that the CPRA would require the employer to correct old email chains containing the faulty address.
The Right to Know
The CPRA's right to know encompasses two distinct rights: the right to a disclosure explaining how the employer collects and handles the individual's personal information, and the right to copies of "specific pieces of personal information."
Right to Disclosure
Regarding the right to disclosure, the employer must provide the following:
- The categories of personal information it has collected about that individual;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose for collecting, selling, or sharing the personal information;
- The categories of third parties to whom the employer discloses personal information;
- The categories of personal information, if any, that the employer sold or shared and, for each such category of personal information, the categories of third parties to whom the personal information was sold or shared; and
- The categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom it was disclosed for a business purpose.8
Although this list may seem overwhelming, employers can take comfort from the fact that, for most HR Individuals, the disclosure for one individual will be almost identical to the disclosure for other individuals in the same category. With respect to employees, for example, the employer typically collects the same information from employees at onboarding and handles that information similarly.
The challenging aspect will be tracking the outlier information, for example, whether the employee ever suffered a workplace injury, which might mean specific disclosures and collecting information from new sources. To assist in disclosing this information, employers should maintain a list of "outlier" items to check when responding to a request. The data-mapping discussed below in the section on "Practical Steps to Prepare" should support this checklist by providing a map of where to look for the outlier information.
Right to Specific Pieces of Personal Information
As onerous as responding to requests for disclosure may be, the right to specific pieces of personal information may create more conceptual headaches for employers. The CPRA does not define what constitutes "specific pieces of personal information." Although the phrase seems to apply to items, such as name and telephone number, it is unclear when personal information is no longer "specific." Would the phrase encompass written evaluations of an employee, an applicant's resume, or even emails written by an employee? The answer is probably not. The CPRA does not require the employer to produce "copies" of personal information, or "records" or "documents" or anything else suggesting that the employer must produce a full record that contains personal information. Nevertheless, records likely contain "specific" pieces of personal information, which raises a question about the extent to which employers must comb through records and cull out "specific pieces of personal information." To assist its compliance team in responding consistently and efficiently to these requests, employers will need to develop defensible guidelines regarding what they must produce.
Comparison to California's Personnel Records Rights
The right to "specific pieces of personal information" differs from California's employment laws that provide employees with explicit rights to certain employment records. For example, California Labor Code § 1198.5 grants current and former employees the right to review and receive a copy of "personnel records that the employer maintains relating to the employee's performance or any grievance concerning the employee."
The CPRA's focus on "specific pieces of personal information" betrays its origin as a consumer protection law, rather than an employment law. The law appears to envision the type of data that a social media site or retailer might collect about an individual, e.g., email address, purchases, frequency of visits, etc. These types of discrete data points typically do not contain information of real importance to an individual in the employment context. HR Individuals would place far higher importance on items such as disciplinary records, evaluations, communications about the employee, etc. In practice, therefore, California employees may turn to their existing rights under California's employment laws, rather than exercising their right to know.
Limitations on the right to know
The grounds for refusing requests to know will excuse the employer from far fewer requests than the grounds to reject a request to delete. Crucially, the right to know is not limited to personal information "collected from" the individual. Therefore, both (a) personal information created by the employer, e.g., ratings; and (b) personal information collected from third parties, e.g., the employer's collection and review of an applicant's social media activity, fall within the scope of the right to know.
Nevertheless, three of the grounds for refusing requests to know will be particularly important for employers. Not only do these grounds provide the basis for denying a large range of requests, they also will permit employers to reject some of the most burdensome requests.
First, the right to know contains a lookback limitation. The employer may deny a request to know to the extent that the request covers a time period more than 12 months before the date of the request.9 The 12-month limit is not written in stone, however. The CPRA authorizes the California Attorney General to issue regulations permitting the consumer to request and obtain information from a longer period, as long as (a) complying with the request would not prove "impossible" for the business or "involve a disproportionate effort," and (b) the personal information was collected on or after January 1, 2022.10 This means, on the one hand, that employers need not concern themselves with personal information collected before January 1, 2022. On the other hand, employers should start implementing procedures now to track their HR data so that, starting on the CPRA's January 1, 2023 effective date, they can respond to requests that reach back to January 1, 2022.
Second, employers can refuse requests to know on the ground that they are "manifestly unfounded or excessive, in particular because of their repetitive character."11 This should excuse employers from having to respond to requests intended to harass. The exception also might exempt employers from requests for unstructured data that would be infeasible for the company to search, for example, requests for personal information in emails.
Third, the CPRA protects privileged materials. Therefore, communications with in-house and external counsel generally should be exempted from the right to know.
Finally, the California Attorney General may add supplementary grounds for rejection in the CPRA's regulations. For example, the CCPA's regulations prohibit an employer from providing specific pieces of sensitive personal information in response to a request to know.
The CPRA also makes the employer responsible for personal information held by the employer's service provider. For example, in response to a request to know, the employer must describe not only how the employer handles the HR Individual's personal information, but also how service providers handle that information on the employer's behalf. Likewise, the employer must ensure that service providers delete or correct the employer's personal information in their possession if an HR Individual makes such a request. Of some help to employers, the CPRA places an affirmative obligation on the service provider to assist the employer in responding to data rights requests at many points in the statute. However, to avoid ambiguity, employers should clarify the vendor's responsibilities in the service agreement. Ideally, the contract should require prompt, precise, and thorough assistance with data rights requests regarding personal information held or handled by the vendor.
Procedural Requirements to Respond to Requests
Of the CPRA's procedural requirements for responding to data rights requests, two will be particularly important to employers: the verification requirement and the 45-day deadline.
Before responding to the data rights request, the employer must verify the identity of the requestor. For current employees, verification generally will be quite simple because of the employer's familiarity with the individual. For former applicants, employees, and independent contractors, as well as current and former dependents and beneficiaries, verification may pose a challenge.
The CPRA is rather slim on details on how to verify. As a general matter, the CPRA states that the business must use "commercially reasonable methods" and require authentication "that is reasonable in light of the nature of the personal information requested."12 The employer also cannot require the requestor to create an account with the business to verify identity.
The CPRA's regulations may provide more detail, likely along the lines of the verification rules provided in the CCPA's regulations. The CCPA's regulations generally require the business to match personal information provided by the requestor against identifying information about the individual that the business previously collected. Depending on the sensitivity of the request, the business must reduce the risk of spoofing by asking the requestor for additional items of personal information.
Employers must respond to requests to know, to correct, and to delete within 45 days of the request. The employer may extend this deadline once by an additional 45 days "where reasonably necessary."13 However, the employer must provide the requestor with notice of the extension within the first 45-day period.
Many employers have, no doubt, read to this point with an increasing sense of gloom. Without question, these new obligations are onerous. One bright spot for employers, however, is the fact that the CPRA does not grant a private right of action to enforce failures to comply with any of its data rights. Moreover, the CPRA states: "Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law."14 This should discourage lawsuits even in California's highly litigious environment.
The CPRA delegates enforcement to a new agency, the California Privacy Protection Agency ("CPPA"). The CPPA will have the authority to issue orders to cease and desist from violating the CPRA and to impose fines of up to $2,500 for each violation and up to $7,500 for each intentional violation.
Practical Steps to Prepare
Due to the complexity of the data rights component of the CPRA, employers should start their compliance project in the second half of 2021 to meet the January 1, 2023 deadline. We recommend the following four-step compliance process.
- Data Mapping
The first step is to map the relevant data. Employers should determine what types of HR data they maintain and where they store it. This will simplify the process of retrieving, correcting, or deleting personal information in response to a request. Ideally, the organization can implement technical solutions that allow it to produce reports on all the personal information about an HR Individual across multiple systems and databases and to correct or delete data simultaneously across those resources.
In addition to mapping the location of data, the data mapping project should chart the purposes of use and flow of data, especially disclosures, sales, and sharing. This may require coordination among multiple departments.
We recommend using data mapping tools, such as charts and spreadsheets, to document this effort. The tools should be shareable, working documents. Not only will multiple stakeholders work on this project, but the business should maintain and update these documents as it changes data handling practices. The tools should be resources to assist the company in responding to data rights requests on an ongoing basis.
- Develop Administrative Structures to Handle Requests
The next step is to develop the administrative structures to manage the response to requests. This will mean assigning departments or individuals to verify the requestor, receive and route the requests, determine whether to comply or refuse, coordinate compliance with the request, and communicate with the requestor. In a large organization, the employer may need to create liaison roles for departments and databases to assist the main coordinator in gathering the relevant information or ensuring execution, e.g., correction of the personal information. Organizations also should consider creating governance structures to monitor compliance and coordinate with other departments in the organization.
- Implement Written Policies and Procedures
The employer should implement written policies and procedures to govern the response process. These documents should cover the nature of the data rights and how to respond, as well as administrative roles and responsibilities. To reduce the burden on the legal department for making decisions about how to handle the requests, the documents should include guidelines and examples. For example, the policies should have lists of common examples on what does and does not constitute "specific pieces of personal information."
In addition, to ensure that the organization handles requests in a compliant and consistent manner, the employer should develop forms both for HR Individuals to submit their requests and for the response team to communicate with the requestors. Ideally, the company would implement a ticket system to maintain records about each request and the employer's response. The ticket system also should be designed to help the employer meet the CPRA's response deadlines.
The employer must ensure that all individuals responsible for handling data rights requests understand the legal requirements for responding to those requests.15 Accordingly, the organization should train all members of the response team, including the governance group and any liaisons, on the CPRA's data rights and their responsibilities.
1 See California Privacy Rights Act of 2020, 2020 Cal. Legis. Serv. Proposition 24 (to be codified at Cal. Civ. Code § 1798.100 et seq.). The amendments relevant to employers will take effect on January 1, 2023.
2 For background on the CPRA, please see Anna Park, Zoe Argento, and Philip Gordon, Substantial New Privacy Obligations for California Employers: The California Privacy Rights and Enforcement Act of 2020 Passes at the Polls, Littler Insight (Nov. 5, 2020), available at https://www.littler.com/publication-press/publication/substantial-new-privacy-obligations-california-employers-california.
3 Cal. Civ. Code § 1798.105(a) (West 2021).
4 Id. at § 1798.145(a)(1).
5 Id. at § 1798.145(a)(5).
6 Id. at § 1798.106.
8 Id. at §§ 1798.110, 115.
9 Id. at § 1798.130(a)(2)(B).
11 Id. § 1798.145(h)(3).
12 Id. at §§ 1798.140(ak), 1798.130(a)(2)(A).
13 Id. at § 1798.130(a)(2)(A).
14 Id. at § 1798.150(c).
15 Id. at § 1798.130(a)(6).
This is the first in a series of articles about the implications of the California Privacy Rights Act for employers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.