Duane Morris Synopsis: On the heels of California’s enactment of the California Consumer Privacy Act (“CCPA”) in 2020, and after two legislative bills that proposed to continue the employer exemption failed, employers will now need to comply with all requirements of the CPRA (“California Privacy Rights Act”) effective January 1, 2023. California-based employers now face these strict privacy requirements in the existing minefield of nuanced employment laws.

Legislative Background

The CCPA is often considered the most stringent data privacy law in the United States. This landmark law established privacy rights for California consumers, including: (1) the right to know about the personal information a business collects about them and how it is used and shared; (2) the right to delete personal information collected from them (with some exceptions); (3) the right to opt-out of the sale of their personal information; and (4) the right to non-discrimination for exercising their CCPA rights. (See https://oag.ca.gov/privacy/ccpa.).

Currently, data collected from workers is exempt from all but two provisions of the CCPA: (i) employers must provide an initial disclosure to all employees at or prior to the point of collection, and (ii) employees still have a right to statutory damages in the event of a data breach. “Employees” is a term that casts a wide net. It includes job applicants, business owners, officers, directors, medical staff members, independent contractors, emergency contacts and beneficiaries.

Two separate California state bills sought to continue the employer exemption: (1) AB 2891, for an additional three years; and (2) AB 2871, for an indefinite time period. Neither bill was passed by the Legislature in its final 2022 session. Accordingly, with the exemption expiring, employers must now fully comply with the former CCPA’s requirements, as the new CPRA comes into effect.

Employer Obligations

First, employees are now afforded various rights, including: (1) a right to request access to their personal information and information about how automated decision technologies work; (2) a right to correct inaccurate personnel information; (3) the right to request that an employer delete their personal information, including the obligation that employers must also notify third parties to whom they have sold or shared such personal information of the consumer’s request to delete; (4) the right to limit the use and disclosure of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.

Notice Obligations

Employers should be mindful of particular notice obligations under the CPRA. These include the: (1) requirement of notice at collection; and (2) requirement of a privacy policy. Regarding the notice at collection, employers are required to give employees, applicants, and contractors notice at the time they collect the information if they plan to collect, use, or disclose that personal information, while also disclosing the categories of personal information. The privacy policy is comprehensive and must disclose categories of personal information collected over the 12 months before the policy’s effective date. The policy also must disclose sources from which personal information is collected, the business purpose for the collection, categories of third-parties to whom personal information is disclosed; and categories of personal information sold or shared. And employers are obligated to post the privacy policy online where it is accessible to employees, applicants, and contractors.

Data Governance

To ensure compliance with the CPRA, it is crucial that employers understand where personal information is located within their businesses. It behooves them to undertake a data inventory or data mapping exercise to assess how and where relevant information is stored and/or transferred. Employers should also take stock of their records retention policies to ensure compliance, and also develop an internal framework to handle requests from employees for access and/or deletion.

Implications For Employers

Employers who have operations in California should immediately take heed of these new obligations. It is inevitable that the Plaintiff’s bar will be scrutinizing these practices come January 2023. Accordingly, employers should determine whether they are covered by the CPRA, and prepare privacy policies that are fully compliant.