Seyfarth Synopsis: Employers need to be aware and prepare for significant changes to options and rights afforded to employees with respect to their private data and information coming with the California Privacy Rights Act's (CPRA) January 1, 2023, operative date. Employers will have significant obligations when the grace periods for HR and business to business (B2B) data expire on that date.
Expect The Unexpected
In November 2020, California residents voted to pass the CPRA, which gives California consumers heightened rights and control over their personal information. Until recently, the older privacy statute, the California Consumer Privacy Act (CCPA), has basically been a floater for California employers, with minimal obligations being enforced, as we previously blogged about.
The current obligations are limited to providing employees (or job applicants, contractors, or other workers) with a notice of collection and reasonably safeguarding their personal information, due to a partial exemption under the CCPA for information collected in the context of employment.
But, these privacy protections are about to go from floater status to Head of Household on January 1, 2023, when the partial exemption for employers under the CCPA will expire. Although legislation was proposed to extend the exemption for employers until at least January 1, 2026, the last day on which the California legislature could have passed those bills into law was August 31, 2022—now the business to business (B2B) and HR exemptions have been evicted from the law and employees will be able to leverage their new privacy rights in several new ways, including in the context of disputes.
More Than A Showmance: New Obligations For Covered Employers In 2023 Under CPRA
California employees of covered employers will have increased rights as of January 1, 2023, and accordingly, their employers will have increased compliance obligations. These new rights include, among others:
- Right to know: the employee's right to a notice regarding the type(s) of personal information that their employer collects, sells, shares, or discloses, as well as the right to make a request that the employer to disclose personal information it has collected about the employee;
- Right to rectification: the employee's right to correct or rectify the personal information that their employer maintains;
- Right to deletion: the employee's right to request that the employer delete the personal information that the employer has collected about them;
- Right to data portability: the employee's right to request that their employer provide them with, or transmit to another entity, a copy of their personal information in a reasonable format;
- Right to limit use and disclosure of sensitive personal information: the employee's right to request that their employer limit the use and disclosure of "sensitive personal information" to certain defined activities.
The Power Of Veto
Employers will need to evaluate employee requests to exercise their rights to determine their obligations under the CPRA, as employers have certain bases to deny employee requests.
For example, if an employee wants to exercise their right to deletion, the employer could rightfully deny that request to the extent that certain personal information is required to carry out the employment relationship (to process payroll, provide benefits, etc.). Or, employers could deny the request because of statutory requirements that dictate the retention of certain employment related information, such as demographic and pay information that must be the subject of regulatory reporting.
Also, the right to rectification can also be significantly limited to certain personal information that can be verified. So, while it would be reasonable for an employee to change their address, it may not be reasonable without backup documentation for them to change their Social Security number or taxation information. Employers are also still allowed to utilize data to enable solely internal uses that are reasonably aligned with the expectations of the employee based on their relationship with the employer.
However, in the wake of employee requests, covered employers must keep in mind that the CPRA prohibits discrimination against employees for exercising their rights under CPRA—so be careful if these individuals are selected to go on the block.
How Companies Can Be More Prepared Than A Superfan Or A Veteran
Before year's end, there are a number of steps that employers should take to prepare for their new obligations. Organizations should consider the following when determining whether they are CPRA ready:
- Data Inventory: Employers need to assess the locations
of personal information, including employee personal information,
and create a data inventory.
- Data inventories are helpful when an employer needs to identify the location(s) of employee data in response to an employee request under CPRA. Importantly, not knowing where the data is held is not an excuse from compliance with a valid request, and an employer can't delete data if it doesn't know where it's located.
- Employers should inventory not just their own data, but also data held by third party service providers and contractors as these are also components of information required to be communicated when responding to access requests.
- Records Retention: Employers might also assess their current records retention policies and schedules to ensure that they reflect retention periods appropriate for the states and/or jurisdictions in which they operate. As privacy principles like data minimization and storage retention continue to be adapted and grow, the importance of appropriate records retention is growing in parallel.
- Review of Existing Practices: Employers should also review their current CCPA notices of collection, as well as current policies and procedures related to privacy and cybersecurity, to determine any changes that should be made under CPRA to address the processing of new or sensitive personal information, the processing of information for new purposes, the length of time the personal information will be maintained, and the categories of third parties that will have employee personal information. Employers with operations outside California should also consider to what extent they will extend these rights to their other employees (even if not currently legally required), especially given we can expect additional laws on the horizon.
- Vendor Assessment: Employers should review any contracts they maintain with any vendor that processes personal information about their employees and ensure that the contracts meet CPRA requirements, including determining whether they inadvertently share or "sell" employee personal information consequent to the vendor engagement, and whether any exceptions are available. The effort involved in this exercise, including potentially the need to renegotiate contracts, should not be underestimated.
This is a significant change for California employers that may require a re-assessment of how personal data is handled and maintained, policy and procedure changes, or even a complete overhaul of privacy and cybersecurity activities. Wise employers won't be caught as a have-not and will begin these initiatives now in order to meet the deadlines January 1, 2023, deadline.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.