New Privacy Rights for Employees+ Under the
California Privacy Rights Act
By Anuja Shah
Since January 1, 2023, employers have expanded obligations to their job applicants, employees, and independent contractors under The California Privacy Rights Act (“CPRA”). Companies that employ Californians now need to comply with new individual rights such as rights to access, deletion, correction, disclosure, etc., as well as new notice obligations, and Data Processing Agreement (“DPA”) requirements. Lastly, the CPRA will create a new enforcement agency called the California Privacy Protection Agency (CPPA).
Typically, the CPRA will apply to all for-profit businesses that collect personal information from California residents that meet any of the following three thresholds:
- Has annual gross revenues (global) in excess of $25 Million, measured from January 1, for the previous calendar year; or
- Alone or in combination annually buys, sells, or shares the personal information of 100,000 (this was 50,000 under the CCPA) or more consumers (which now includes job applicants, etc.), households (in which each individual is counted separately); or
- Derives 50% or more of its annual revenue from selling or sharing personal information.
As we previously addressed here, the way that the number of consumers has been counted is surprisingly broad, and reaches companies that might think that they are not near to that threshold. Further expanded counting under the CPRA includes, for example, that when an employee furnishes the name and email address of someone to contact in case of emergency (a so-called “ICE Contact”) the ICE Contact is also counted towards the threshold.
Rights Under The CPRA
Under the CPRA, job applicants, employees and independent contractors have the following expanded rights:
- The Right to Know:
Employees have additional rights to know what personal information is being collected, shared or sold. In particular, they may request disclosure of (i) categories of personal information collected, (ii) sources of personal information, (iii) third parties to whom the business discloses their personal information, and (iv) what personal information was sold/shared and to whom. Employees may also request disclosure of specific pieces of personal information collected.
- The Right to Delete Personal Information:
An employee can request that the business delete personal information collected from the employee. Businesses can, however, maintain certain personal information despite a deletion request for a certain stated purpose, including to complete a transaction, to comply with a legal obligation and for internal uses that are reasonably aligned with the expectations of the data subject.
- The Right to Correct Inaccurate Personal Information:
Employees can request that the business correct their inaccurate personal information. A business may require the employee to submit documentation supporting the requested correction.
- The Right to Opt-out of Sale or Sharing of Personal Information:
Employees can request that the business not sell or share his/her personal information. This includes an employee’s right to opt out of automated decision-making technology including profiling employees based on automated technology.
- The Right to Limit Use and Disclosure of Sensitive Personal Information:
Employees can request that the business limit disclosure and use of their sensitive personal information such as health information, social security number, driver’s license:
- Only in a manner which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services;
- Only for certain “business purposes” as defined under the CPRA; and
- As authorized by forthcoming regulations.
- The Right Against Discrimination or Retaliation:
The CPRA specifically prohibits discrimination against an individual because the individual exercised any of his/her rights under the CPRA. Thus, a business cannot retaliate against an employee for exercising their rights under the CPRA, by terminating their employment.
How Can Businesses Comply With The CPRA?
Businesses can ensure compliance with the CPRA by taking the following steps:
- Data Mapping:
Businesses should carefully assess the types of personal or sensitive personal information collected from employees and the purposes for its collection to assess if they are required to provide employees a right to limit use or disclosure of sensitive personal information. Employers should also track where such information is stored.
- Develop Administrative Structures to Handle Requests and Training of Staff:
The next step for employers is to develop administrative structures to manage the response to employee requests under the CPRA. They will need to train their staff and assign departments or individuals to respond to such requests.
- Notice at Collection:
Businesses must provide their employees a notice at or before collection of personal information. Such notice may be given by way of a privacy policy posted online that lays down the categories of personal and sensitive information collected, the purpose for which it is collected, whether such information is shared or sold with third-parties, and the length of time for which the business intends to retain the such information. Businesses must also list down the rights employees have under the CPRA and how an employee can exercise such rights.
- Review Data Protection Agreements with Third-Party Recipients of Personal Information:
Under the CPRA, a business that sells or shares personal information of an employee with a service provider, contractor, or any other third-party must enter into an agreement called a Data Processing Agreement (DPA) with that entity. The DPA obligates the service provider, contractor, or any other third-party to comply with applicable requirements and to provide the same level of privacy protection as provided by the business to its employees. The CPRA includes specific requirements for such contracts such as prohibiting any onwards sale or sharing of personal information. Businesses should ensure that vendor contracts satisfy these requirements to ensure compliance with the CPRA.
- Post-Employment:
Businesses that retain personal information of former employees or job applicants should ensure that such information is deleted once the purpose for which it was collected no longer exists.
Enforcement
The CPRA will create a new enforcement agency called the California Privacy Protection Agency (CPPA). The California Attorney General (AG) and the CPPA will hold joint authority to enforce the CPRA.
The CCPA provided a business the opportunity to cure any non-compliance within 30 days after receiving formal notice. That has been eliminated under the CPRA. Thus, under the CPRA, the State AG will have wider powers and now fines can technically be issued without warning or an opportunity to cure.
Conclusion
With the expanded rights given to employees, job applicants and independent contractors, California employers should take steps to ensure compliance with the updated privacy laws to ensure protection of employee data and to protect themselves from liabilities that could run into substantial fines.