What Employers Should Know About the New California Privacy Law
Beginning January 1, 2023, companies with employees or contractors in California may need to comply with a new, robust data privacy law. In 2020, California voters approved the California Privacy Rights Act (CPRA), which modified the existing California Consumer Privacy Act (CCPA), broadening its obligations from consumer information to employment data (among other changes).
If your business is subject to the CCPA/CPRA and has employees or contractors in California, the next few months are critical to prepare for compliance.
Who Is Subject to the CPRA?
Companies will have obligations related to employment data under the CPRA if they (1) meet the jurisdictional scope of the law and (2) have any employees or contractors in California, even if their business is not headquartered in the state.
A business falls within the jurisdictional scope of the CPRA if it meets at least one of the following thresholds:
- (a) Had annual gross revenue above $25 million in the previous calendar year; or
- (b) Annually collects, stores, analyzes, discloses, or otherwise uses ("processes") the personal information of 100,000 or more California residents or households; or
- (c) Derives at least 50 percent of its annual revenue from selling (disclosing to a third party for monetary or other valuable consideration) or sharing (disclosing to a third party for targeted advertising) the personal information of California residents.
Because at least one of these criteria must apply—but not all of them—smaller businesses may be nonetheless within the scope of the CPRA if they have any California employees.
What Is "Personal Information" Under the CPRA?
The CPRA defines "personal information" as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
This includes not only name and email address but also any data points that can be connected to someone, such as an IP address, metadata and usage data, photos, audio, and video recordings, professional and employment information, and inferences about them. Generally speaking, the contents of job applications, employee personnel records, employee tracking, and employee communications are all "personal information" under the CPRA.
A business that satisfies the jurisdictional scope must comply with CPRA's obligations in relation to the personal information collected in the employment context about its California employees. This includes personal information collected about a job applicant, employee, owner, director, officer, medical staff member, or independent contractor in the context of that person's role. Information about emergency contacts and beneficiaries is also "personal information" under the CPRA.
What Are Employers' CPRA Obligations?
There are three major categories of compliance for employers: notice, employee rights, and data governance. Companies subject to the CPRA will be required to comply with largely the same obligations they already have for their consumers' data under the CCPA.
Notice
Employers must provide notice about their privacy practices to employees, job applicants, and contractors at or before the point of data collection. Similar to a consumer-facing privacy policy, the notice must include: (1) categories of personal information collected; (2) the purposes of collection; and (3) information about the disclosure and use of the information. The notice must also disclose retention periods (i.e., how long the company is keeping the employees' data).
Employee Rights
Employees, job applicants, and contractors will have several rights in relation to the collection and use of their personal information, subject to exceptions. They can:
- Access the specific pieces of personal information an employer holds about them (including any profiles or inferences) that were generated on or after January 1, 2022;
- Correct inaccurate personal information;
- Delete personal information collected from them (subject to certain exceptions, including to comply with a legal obligation);
- Restrict the use of their sensitive personal information (such as their financial information, social security numbers, communications content, health information, and biometrics) to specific business purposes or limited disclosures; and
- Opt out of the sale of personal information to third parties (i.e., disclosure for monetary or other compensation where there is not a written agreement restricting the other party's use of the data).
If an employer receives a request from an employee, contractor, or job applicant to exercise one of these rights, the employer will be required to honor the request within 45 days (with a one-time, 45-day extension available), unless an exception applies.
Data Governance
Businesses must implement certain data governance measures internally, such as creating a records retention schedule, using personal information only for the purpose the company has disclosed, and keeping personal information only as long as necessary for the purposes of retention.
How Do Employers Build for Compliance?
Employers can take proactive steps now to prepare for 2023.
Data mapping
The first step in building a privacy program is to understand what personal information about employees, job applicants, and contractors your business has collected; where it is stored; for what purposes it is collected and used; and to whom it is disclosed.
If you have already completed data mapping for the General Data Protection Regulation (GDPR) or CCPA compliance in relation to consumer data, this is effectively the same exercise for employee, contractor, and job applicant data. Creating a data map or inventory will enable your business to make accurate representations in your privacy notice, fulfill rights requests, and honor retention and other data governance policies.
Privacy notice
Based on the data mapping exercise, a privacy notice should be prepared for each subset of California individuals (employee, contractor, and job applicant) who meet the CCPA and CPRA specifications.
Some businesses will include the privacy disclosures for applicants in their consumer-facing privacy policy, while also providing a privacy notice in their employee handbook, contractor on-boarding, and internal websites. Businesses must also ensure that privacy notices are provided in the appropriate places (e.g., linked on any online applications forms).
Rights processes
Starting January 1, 2023, employees, job applicants, and contractors may submit access, deletion, correction, restricted processing, and opt-out requests.
Businesses should develop mechanisms for accepting these requests (e.g., through a webform, email address, and/or phone number where the employee can submit the request), analyze the application of legal exceptions to rights (e.g., what information are employers not required to delete in response to a deletion request), and create procedures for honoring requests and notifying employees, job applicants, and contractors of the actions taken (or not taken under an exception).
Employee training
As processes for rights requests are developed, the employees who are responsible for responding to requests must undergo training about the CPRA and the rights procedures. For most companies, this will likely be human resources representatives in collaboration with technology specialists.
Contracts
The CPRA requires that businesses have certain terms in their agreements with "service providers," or entities that receive and use personal information in order to perform services for the business (e.g., payroll providers, background check companies, and other entities who assist the business with its human resources functions).
These agreements must, among other things, restrict service providers' use of personal information to the purpose of providing that specific service to the business. Businesses should review their agreements with third parties to confirm it is a "service provider" relationship and the agreement has the requisite terms.
The California Privacy Protection Agency (CPPA) is preparing regulations to implement the CPRA. Businesses should also be attentive to these regulations, as they may add additional clarity, nuance, or specifications to compliance. Regulations are due to be issued July 1, 2022. Stay tuned for more information.
What Are the Consequences for Non-compliance?
The California Attorney General and the CPPA will enforce the CPRA; enforcement will begin July 1, 2023, after a 6-month grace period to come into compliance. Businesses that are alleged to have violated the CPRA will have a 30-day "cure" period in which to fix violations and thus avoid civil penalties.
Uncured violations may result in civil penalties of up to $7,500 per violation.
Final Thoughts
Businesses who have built their data collection, use, and storage systems for compliance with CCPA or GDPR may find that they are able to leverage their existing infrastructure to prepare for CPRA and its application to employment-related personal information. Furthermore, CPRA compliance efforts may help businesses achieve greater efficiency in the future, as state lawmakers and Congress consider new privacy laws and regulators turn greater attention to consumer and employee privacy.