With special thanks to Lothar Determann for this post.
The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), which already imposes an obligation on California employers to issue privacy notices to employees since January 1, 2020. These notices must be updated as soon as possible given the new law was certified on December 16, 2020. Most other CCPA obligations on employers remain deferred.
Background on CPRA
Key CPRA revisions include a new definition of “sensitive personal information” and detailed obligations regarding the processing of sensitive personal information for non-essential purposes; a new and counterintuitive definition of “sharing” personal information and related restrictions aimed at the digital advertising industry; new data subject rights to correct inaccurate information and opt-out of the use of automated decision-making technology; new requirements to include data protection and processing terms in contracts with data recipients and vendors; new requirements regarding what privacy notices must include and how they must be furnished to data subjects; and the establishment of a new privacy authority, the California Privacy Protection Agency. For more details, click HERE.
Statutory Notice Requirement
According to the revised Cal. Civ. Code §§1798.100(a), 1798.145(m)(3), businesses have to provide job applicants, employees and other workers with an expanded privacy notice that includes certain details not currently required under CCPA, including the categories of sensitive personal information it collects and how long it retains personal information.
1798.100. (a) A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers as to:
(1) the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice consistent with this section.
(2) if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected, without providing the consumer with notice consistent with this section.
(3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
Cal. Civ. Code §1798.145(m)(3) takes effect immediately pursuant to Section 31(b) of the CPRA. The changes to Cal. Civ. Code §1798.100 are delayed until January 1, 2023. Californians for Privacy, the proponents of ballot initiative 24 that launched CPRA stated at a recent conference that they intended the cross-reference in Cal. Civ. Code §1798.145(m)(3) point to the revised Cal. Civ. Code §1798.100(a), which expands notice requirements. (Read more HERE.) The currently applicable version of §1798.100(a) contains an obligation on businesses to disclose specific pieces of personal information to consumers on request; this obligation is deferred until January 1, 2023 with respect to employee data.
Avoid Harmful Side Effects
When California employers update their employee privacy notices, they have to be mindful of setting or negating privacy expectations. If employers issue privacy notices to employees and job candidates that merely list the categories of information required by CPRA, the recipients of such notices may develop limited privacy expectations that could later hinder employers in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives. (Read more HERE.)
Outlook and Practical Guidance
The California Privacy Protection Agency will be responsible for drafting and adopting regulations by July 1, 2022 specifying how certain requirements under the revised CCPA apply. Most large and medium-sized companies that do business in California will be impacted. Compliance with the European Union General Data Protection Regulation (GDPR) or other jurisdictions’ privacy or data protection laws is not sufficient to meet requirements under the revised CCPA, which are prescriptive and require companies to use counterintuitive terminology on website links and in privacy notices. For example, the revised CCPA defines “sharing personal information” to mean disclosing personal information for cross-context behavioral advertising purposes, and imposes onerous technical requirements on businesses that “share” or “sell” California residents’ personal information with other parties. Employers that inform employees that they do not “sell” their personal information or “share” it for cross-context behavioral advertising, must also urgently update all vendor agreements to back up such representations.