Effective Jan. 1, 2023, California employers will be required to comply with the California Privacy Rights Act of 2020 (CPRA). The CPRA amended the California Consumer Privacy Act of 2018 (CCPA). Many California businesses have been complying with the CCPA to protect data obtained from consumers. This article will focus on the new requirements specific to employers and the privacy of employment-related data.
The CPRA applies to for-profit employers doing business in California that meet one or more of the following:
- Has a gross annual revenue in excess of $25 million in the previous calendar year.
- Buys, sells, or shares the personal information of 100,000 or more California household residents or devices.
- Derives 50 percent or more of annual revenue from selling consumers' personal information.
The CPRA requires employers to inform individuals who reside in California about the employment-related personal information (PI) collected by the employer and how that data is used. Covered individuals can include applicants, employees, dependents and independent contractors.
PI is information that can reasonably be used to identify an individual but does not include information lawfully made available from a federal, state or local government or information that is deidentified or aggregated. Examples of PI include an employee's name, e-mail address, photo, IP address, and audio and video recordings.
Sensitive personal information is a subset of PI and includes an individual's:
- Social Security, driver's license, state identification card or passport number.
- Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
- Precise geolocation.
- Racial or ethnic origin, religious or philosophical beliefs, or union membership.
- Mail, e-mail and text messages, unless the business is the intended recipient of the communication.
- Genetic data.
- Biometric information that uniquely identifies an employee or information about an employee's health, sex life or sexual orientation.
Privacy Notice
Employers must provide a notice at or before the time PI is collected that includes:
- A description of the categories of sensitive personal information collected.
- Whether the employer sells or shares the PI.
- The length of time the PI will be retained by the employer.
- A list of any third parties the employer uses to collect PI or to whom the employer discloses PI.
Because this information is very specific to the particular employer, a model notice is not provided in the CPRA. Employers need to map the employment-related data collected within their organization to know what information must be included in the notice. Many employers may find that engaging a vendor or legal counsel who is familiar with the CPRA requirements is necessary.
Individuals must also be informed of the following rights:
- The right to delete personal information collected from them.
- The right to know what personal information a business has collected about them and how it is used and shared.
- The right to opt-out of the sale of their personal information.
- The right to correct inaccurate personal information that a business has about them.
- The right to limit the use and disclosure of sensitive personal information collected about them.
- The right to seek damages for breach of certain sensitive data.
- The right to not be retaliated against for exercising any rights under the CPRA.
There are several exceptions to the right to delete information, including PI maintained to comply with an employer's legal obligations. Employers should consult with legal counsel when presented with a request to delete an individual's PI.
When an individual in California makes a request covered by the CPRA, employers must verify the individual's identity, acknowledge the request within 10 days and respond to the request within 45 days. An employer may have an additional 45 days to respond if it notifies the individual of the extension within the first 45 days.
Vendor Compliance
Employers that share employment-related PI with third parties must establish data processing agreements that include the following:
- Identifies the limited and specified purpose(s) for which the personal information is made available to the third party.
- Specifies that the business is making the personal information available to the third party only for the limited and specified purposes set forth within the contract and requires the third party to use it only for those limited and specified purposes.
- Requires the third party to comply with all applicable sections of the CCPA including providing the same level of privacy protection as required of businesses by the CCPA.
- Grants the employer the right to take reasonable and appropriate steps to ensure that the third party uses the personal information that it received from the employer in a manner consistent with the obligations under the CCPA.
- Grants the employer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to the third party.
- Requires the third party to notify the employer no later than five business days after it determines that it can no longer meet its obligations under the CCPA.
The CPRA is enforced by the California Privacy Protection Agency.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.