• Thu. Nov 24th, 2022

Duane Morris Synopsis: Following California’s passage of the California Consumer Privacy Act (“CCPA”) in 2020 and the failure of two bills that would continue the employer exemption, employers are now required to comply with all requirements of the CPRA (“California Privacy Rights Act”) effective September 1, 2020 January 1, 2023. California-based employers are now facing these stringent privacy requirements in the existing minefield of nuanced labor laws.

Legal background

The CCPA is often considered the toughest privacy law in the United States. This landmark law establishes privacy rights for California consumers, including: (1) the right to know about the personal information a business collects about them and how it is used and shared; (2) the right to erase personal data collected from you (with some exceptions); (3) the right to opt-out of the sale of their personal information; and (4) the right to non-discrimination in the exercise of their CCPA rights. (See https://oag.ca.gov/privacy/ccpa.).

Currently, data collected from employees is exempt from all provisions of the CCPA, with two exceptions: (i) employers must provide initial disclosure to all employees at or before the point of collection, and (ii) employees continue to have a right to legal damages in the event of a data breach . “Employee” is a term that covers a wide field. It includes job applicants, business owners, officers, directors, medical staff, independent contractors, emergency contacts, and beneficiaries.

Two separate California State bills aimed to continue the employer exemption: (1) AB 2891 for an additional three years; and (2) AB 2871 for an indefinite period. No bill was passed by the Legislature in its last session in 2022. Accordingly, once the exemption expires, employers must fully comply with the requirements of the former CCPA as the new CPRA becomes effective.

Employer Obligations

First, employees are now granted various rights, including: (1) the right to request access to their personal data and information about how automated decision-making technologies work; (2) a right to have inaccurate personal information corrected; (3) the right to request that an employer erase their personal information, including requiring employers to also notify third parties to whom they have sold or disclosed such personal information of the consumer’s erasure request; (4) the right to limit the use and disclosure of sensitive personal information to what is necessary to perform the services or provide the goods reasonably expected by an average consumer requesting such goods and services.

Obligations to notify

Employers should be aware of specific reporting requirements under the CPRA. These include: (1) requiring notification upon pickup; and (2) requirement for a privacy policy. With respect to notification at collection, employers are required to notify employees, applicants, and contractors at the time the information is collected if they intend to collect, use, or disclose that personal information, while disclosing the categories of personal information. The privacy policy is comprehensive and must disclose categories of personal information collected in the 12 months prior to the effective date of the policy. The policy must also disclose sources from which personal information is collected, the business purpose for collection, categories of third parties to whom personal information is disclosed; and categories of personal information sold or shared. And employers are required to post the privacy policy online where it is accessible to employees, job applicants and contractors.

data office

In order to ensure compliance with the CPRA, it is vital that employers understand where personal data resides within their organization. It is their responsibility to conduct a data inventory or data mapping to assess how and where relevant information is stored and/or transmitted. Employers should also take stock of their records retention policies to ensure compliance and also develop an internal framework to handle employee access and/or deletion requests.

Implications for employers

Employers with offices in California should take immediate notice of these new obligations. It is inevitable that the plaintiff’s bar will examine these practices in January 2023. Accordingly, employers should determine whether they are covered by the CPRA and create privacy policies that are fully compliant.