When the California Privacy Rights Act (CPRA) takes effect and replaces the California Consumer Privacy Act (CCPA) on January 1, 2023, businesses will have new privacy obligations with respect to personal information (PI) of employees, applicants for employment, independent contractors, owners, directors, officers, and their beneficiaries and emergency contacts who are California residents.
New rights for employees
The CPRA provides individuals specific rights, some of which will require employers to create new compliance processes. These include the rights:
- to know what PI is being collected, shared for behavioral advertising, or sold, and to whom;
- to access PI;
- to correct inaccurate PI;
- to delete PI;
- to opt-out of the sale of PI and of its sharing for cross-context behavioral advertising;
- to restrict the use and disclosure of sensitive PI; and
- to be free from retaliation for exercising these rights.
Limitations on rights
Given the specific nature of the employer-employee relationship and the purposes for which employers use PI, employers should pay attention to the limitations and exemptions in the CPRA that they may be able to leverage when responding to a request. For example, the CPRA does not apply to certain types of information, including consumer reports (e.g., employment background checks), medical information covered by certain federal and state laws (e.g., employer-funded health insurance), financial information covered by the Gramm-Leach-Bliley Act, publicly available information, or de-identified or aggregated information if the business commits to specific requirements. The CPRA also allows for exemptions, for example, when necessary to comply with a legal obligation, to exercise or defend legal claims, or to maintain an evidentiary privilege, and when rights requests are manifestly unfounded or excessive.
Preparing for CPRA rights requests
Employers can take several steps ahead of January 2023 to develop and implement technical and organizational measures (both internal and external-facing) to receive, assess, and respond to individuals’ requests to exercise their rights.
One step is mapping PI collected from and about individuals, including the categories of PI (e.g., contact, financial, employment information, etc.) and their sources (e.g., collected directly from the individual or from other sources). Additionally, employers can create data retention policies, including policies for automatic archiving or deletion, to minimize the volume of data that the business must collect and review for a request. Businesses should take note that the CPRA applies to PI collected on or after January 1, 2022 and account for any specific data retention period required by federal or state law.
Responding to CPRA rights requests
When receiving a request, employers should first verify the identity of the individual. If a legal representative or other agent of an individual makes the request, the business should also verify the authority granted to the requestor, for instance by asking for a power of attorney or signed authorization from the individual. When an access request is very broad, employers can try to appropriately narrow the scope by asking the individual to clarify the request (e.g., date ranges, subject matter, etc.) or by making an educated guess about what information the individual is seeking, while leaving enough time before the statutory deadline to still honor the request on time if the information desired by the individual is broader than guessed.
The CPRA gives individuals the right to receive “specific pieces” of PI, not necessarily copies of entire documents. When assessing a request and how to respond, employers should decide whether to provide copies of actual records or just a list of PI, and as discussed above, should determine whether any exceptions apply (e.g., does the request cover any exempted categories of PI, or is it manifestly unfounded and excessive).
Before providing responsive information to the individual, employers should review all its contents for trade secrets, other business-sensitive or confidential information, privileged information, and information that, if provided, would adversely impact another individual’s privacy or other rights (e.g., a performance review revealing the reviewer’s identity), and redact accordingly.
Finally, employers should keep a record of its approach to searching for and limiting responsive PI, including the total volume of search results prior to filtering.
Privacy notice requirements
Beyond responding to rights requests, the CPRA requires employers to provide individuals with a privacy notice at collection and with a privacy policy describing how the employer will use, disclose, and retain their PI, including, among other things, the categories of PI and/or sensitive PI to be collected and the purposes of use for each category, whether the PI is sold or shared for behavioral advertising, and retention period for each category of PI, or the criteria used to determine that period.
The privacy disclosures can be posted on the homepage of the company’s internal website, if the individuals are directed to it. If the employer wants to collect additional categories of PI or use PI for additional purposes beyond those covered in the notice, the employer will need to provide individuals a new notice.
The CPRA also requires employers to impose specific contractual obligations on service providers and contractors who receive individuals’ PI (and proposed CPRA regulations extend similar requirements to contracts with third parties). For example, the contract must state that PI is to be used for limited and specified purposes and require the recipient to comply with obligations under the CPRA. The CPRA also imposes certain obligations directly on service providers and contractors, requiring them to cooperate with customers in numerous situations. Businesses should update their form agreements and existing agreements with vendors to comply with the CPRA ahead of 2023.
Noncompliance could be expensive
The California Attorney General and the newly established California Privacy Protection Agency (“Agency”) will share enforcement of the CPRA, with fines ranging up to $2,500 per violation or up to $7,500 for each intentional violation. As under the CCPA, individuals will have a private right of action only when PI is compromised in data breaches. The Agency is also tasked with rulemaking authority and recently released proposed regulations, which would add further requirements on employers; for instance, the proposed regulations will require businesses to obtain individuals’ explicit consent before collecting, using, retaining, or sharing PI for purposes unrelated to, or incompatible with, the purposes for which the PI was originally collected or processed.