Employers need to be aware of the significant changes that are on the horizon when the California Privacy Rights Act (CPRA) becomes operative on January 1, 2023.
By way of background, in November of 2021, California residents voted to pass the CPRA, which affords California consumers heightened rights and control over their personal information. California residents already have a number of rights under the California Consumer Privacy Act (CCPA), and the CPRA will provide even more rights to individuals — including employees — in California.
Currently, the only obligations that covered employers have under the CCPA is to provide a notice of collection and to reasonably safeguard personal information due to a partial exemption under CCPA for information collected in the context of employment. However, this will change on January 1, 2023, when the partial exemption for employers under the CCPA will expire. Although bills were proposed to extend the exemption for employers until at least January 1, 2026, the last day on which the California legislature could have passed those bills into law was August 31, 2022.
What’s New For Covered Employers In 2023 Under CPRA?
California employees of covered employers will have increased rights as of January 1, 2023, and accordingly, their employers will have increased compliance obligations. The new rights for California employees will include, among others:
(1) the right to know: the employee’s right to notice regarding the type(s) of personal information that their employer collects, sells, shares, or discloses, as well as the right to make a request that the employer to disclose personal information it has collected about the employee;
(2) the right to rectification: the employee’s right to correct or rectify the personal information that their employer maintains;
(3) the right to deletion: the employee’s right to request that the employer delete the personal information that the employer has collected about them;
(4) the right to data portability: the employee’s right to request that their employer provide them with, or transmit to another entity, a copy of their personal information in a reasonable format;
(5) the right to limit use and disclosure of sensitive personal information: the employee’s right to request that their employer limit the use and disclosure of “sensitive personal information” to certain defined activities.
Employers will need to evaluate employee requests to exercise their rights to determine their obligations under the CPRA, as employers may have certain bases to deny employee rights requests. For example, should an employee attempt to exercise their right to deletion, the employer could rightfully deny that request to the extent that certain personal information is required to carry out the employment relationship (to process payroll, provide benefits, etc), or because of statutory requirements that dictate the retention of certain employment related information. Further, the right to rectification can also be significantly limited to certain personal information that can be verified. However, in the wake of employee requests, covered employers must keep in mind that the CPRA prohibits discrimination against employees for exercising their rights under CPRA.
What Organizations Can Do to Prepare
In the coming months, there are a number of steps that employers can and should take to prepare for their new obligations under the CPRA. Organizations should consider the following when determining whether their processes and procedures are CPRA ready:
Data Inventory: Employers need to assess the locations of personal information, including employee personal information, and create a data inventory. Data inventories are helpful when an employer needs to identify the location(s) of employee data in response to an employee request under CPRA. For example, an employer cannot delete data if it does not know where it is. Employers should inventory not just their own data, but also data being held by third party service providers and contractors as these are also components of information required to be communicated when responding to access requests.
Records Retention: Employers might also assess their current records retention policies and schedules to ensure that they reflect retention periods appropriate for the states and/or jurisdictions in which they operate. With privacy principles like data minimization and storage retention continuing to be adapted and grow, the importance of appropriate records retention is growing in parallel.
Review of Existing Practices: Employers should also review their current CCPA notices of collection, as well as current policies and procedures related to privacy and cybersecurity, to determine any changes that should be made under CPRA to address the processing of new or sensitive personal information, the processing of information for new purposes, the length of time the personal information will be maintained, and the categories of third parties that will have employee personal information.
Vendor Assessment: Employers should review any contracts they maintain with any vendor that processes personal information about their employees and ensure that the contracts meet CPRA requirements.
This is a significant change for employers with employees in California; for some it will require a re-assessment of how personal data is handled and maintained, along with changes to current policies and procedures, but for others it will require a complete overhaul of current privacy and cybersecurity activities. These compliance initiatives cannot be put into place overnight; employers should expect it to take anywhere from three to six months to stand up a compliant privacy and cybersecurity program. That said, while compliance will not be enforced until July 1, 2023, employers can and should help themselves by beginning to make these changes now.