Employers will have to disclose that they have been “selling” personal information of California employees under the California Consumer Privacy Act (CCPA), unless they update commercial contracts with service providers and other business partners effective 1 January 2022. Also, employers should tighten their data retention and deletion protocols, because CCPA requires data minimization and California employees are gaining broad data access, portability, and correction and deletion rights. Deployments of Artificial Intelligence, employee monitoring software, and automated decision-making are coming under increased scrutiny, too, pursuant to CCPA. Employers face these new requirements in addition to an existing obligation under CCPA to issue privacy notices to employees, which has applied since 1 January 2020 and required an update when the California Privacy Rights Act of 2020 (CPRA) took effect on 16 December 2020.
- Background on CPRA and CCPA
- CCPA Changes
- Outlook and Practical Guidance
Background on CPRA and CCPA
CCPA was originally introduced as a ballot initiative in 2018, focused on consumer privacy but with broad requirements also for employers. After a compromise with the legislature in the summer of 2018, CCPA was enacted as a statute to take effect on 1 January 2020, with a temporary carve-out for employee information. The legislature amended CCPA several times and its original proponents launched a second ballot initiative in 2020 on CPRA, which passed at the general election and extended the temporary carve-out for employee information until 1 January 2023. At that time, business will be fully subject to CCPA requirements concerning all personal information – including information of consumers, employee and individual representatives of corporate business partners. Among other things, businesses will have to disclose whether they have been “selling” or “sharing” personal information in the preceding 12 months, i.e., after 1 January 2022.
Key CPRA revisions include a new definition of “sensitive personal information” and detailed obligations regarding the processing of sensitive personal information for non-essential purposes; a new and counterintuitive definition of “sharing” personal information and related restrictions aimed at the digital advertising industry; new data subject rights to correct inaccurate information and opt-out of the use of automated decision-making technology; new requirements to include data protection and processing terms in contracts with data recipients and vendors; new requirements regarding what privacy notices must include and how they must be furnished to data subjects; and the establishment of a new privacy authority, the California Privacy Protection Agency. For more details, see here.
Statutory Notice Requirement
According to the revised Cal. Civ. Code §§1798.100(a), 1798.145(m)(3), businesses have to provide job applicants, employees and other workers with an expanded privacy notice that includes certain details not currently required under CCPA, including the categories of sensitive personal information it collects and how long it retains personal information.
1798.100. (a) A business that controls the collection of a consumer’s personal information shall, at or before the point of collection, inform consumers as to:
- the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice consistent with this section.
- if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected, without providing the consumer with notice consistent with this section.
- the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.
Cal. Civ. Code §1798.145(m)(3) takes effect immediately pursuant to Section 31(b) of the CPRA. The changes to Cal. Civ. Code §1798.100 are delayed until 1 January 2023. Californians for Privacy, the proponents of ballot initiative 24 that launched CPRA stated at a recent conference that they intended the cross-reference in Cal. Civ. Code §1798.145(m)(3) point to the revised Cal. Civ. Code §1798.100(a), which expands notice requirements. The currently applicable version of §1798.100(a) contains an obligation on businesses to disclose specific pieces of personal information to consumers on request; this obligation is deferred until 1 January 2023 with respect to employee data.
Avoid Harmful Side Effects
When California employers update their employee privacy notices, they have to be mindful of setting or negating privacy expectations. If employers issue privacy notices to employees and job candidates that merely list the categories of information required by CPRA, the recipients of such notices may develop limited privacy expectations that could later hinder employers in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives (see here for more on monitoring employees).
Record Retention and Data Deletion
When employees and job candidates gain data access, portability, correction and deletion rights on 1 January 2023, California employers will face similarly difficult situations as they have been encountering in the EU under the GDPR since 2018. CCPA covers much more than employee files. Any email, spreadsheet, contract or other document that refers to a California-based employee constitutes “personal information,” which may have to be discovered and produced in response to an access request, free of charge. To keep track of where information is stored and at the same time reduce the amount of data that is potentially subject to data access requests, employers should work on tightening their data retention and deletion protocols. This will help employers also to comply with the new data minimization requirements contained in California Civil Code §1798.100(c):
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.
Outlook and Practical Guidance
The newly established California Privacy Protection Agency has started the process of drafting regulations by 1 July 2022 specifying how certain requirements under the revised CCPA apply. Most large and medium-sized companies that do business in California will be impacted. Compliance with the European Union General Data Protection Regulation (GDPR) or other jurisdictions’ privacy or data protection laws is not sufficient to meet requirements under the revised CCPA, which are prescriptive and require companies to use counterintuitive terminology on website links and in privacy notices. For example, the revised CCPA defines “sharing personal information” to mean disclosing personal information for cross-context behavioral advertising purposes, and imposes onerous technical requirements on businesses that “share” or “sell” California residents’ personal information with other parties. Employers that inform employees that they do not “sell” their personal information or “share” it for cross-context behavioral advertising, must also urgently update all vendor agreements to back up such representations.
This article was originally published in the January 2022 edition of LegalBytes, which can be found here.