CPRA Obligations For Employers
For those that are not in the know, the California Privacy Rights Act (CPRA) is a state-wide data privacy bill passed into law in the General Election 2020 – breaking new waves in the Pacific frontier of US data protection. It amends and expands California’s California Consumer Privacy Act (CCPA). One of the key expansions of the law things is that it defines what employers can and can’t do with their employees’ data and information.
The CPRA will take effect on January 1, 2023 and become fully enforceable on July 1, 2023 – with a look back period from January 1, 2022. While I would like to go over the difference between CCPA and CPRA, our focus on this article is what employers' need to be aware of and what steps they’ll need to take in order to ensure they aren’t breaking any laws.
The CPRA authorizes the rule making process to begin during that same period. Notably, however, the CPRA’s expansion of the “Right to Know” impacts personal information (PI) collected during the ramp-up period, on or after January 1, 2022. Businesses must still comply with the CCPA and any regulations in the meantime.
The CPRA immediately extended the current limited CCPA exemption for employment and business-to-business data until January 1, 2023.
All CPRA Obligations That Will Apply to Employers
Notice: Employers will have to send a comprehensive notice of their collection of PI (Personal Information) from employees, job applicants, and contractors. They will also need to include the description of the categories of what’s being collected, be required to provide a comprehensive notice of their collection of personal information from before mentioned parties above and include a description of the categories of personal information collected. Employers will also need to include the purposes of collection, details on disclosure of personal information, and information about retention of personal information.
Right to Access: Employees will have the right to access categories of personal information and specific pieces of personal information. This includes any guesswork drawn from personal information to create a profile reflecting the employee’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Right to Correct: Employers must provide employees with the right to correct their personal information using commercially reasonable efforts and the employer must make those corrections upon request.
Right to Delete: Employers such as yourself will need to provide employees the right to delete their personal information when request--However, numerous statutory exemptions may apply, including allowing an employer to retain personal information reasonably anticipated by the employee within the context of an ongoing relationship with the employer, to perform a contract between the employee and employer, or to comply with a legal obligation. In other words, employers are allowed to keep certain information if they need it to form a contract with the employee and/or are required to retain that information by law.
Right to Restrict Uses of Sensitive Personal Information: Just to rehash, sensitive Personal Information (PI) includes a social security number, account log in, financial information, geolocation, racial or ethnic origin, religious beliefs, sexual orientation, health information, biometrics, and the contents of employee communications unless the employer is the intended recipient of the communication. Starting in January 2023, an employee may be able to direct an employer to limit certain uses of sensitive personal information for specific business purposes, as well as to direct an employer to limit disclosure of sensitive personal information, absent a qualifying exemption.
Right to Opt Out: Provide employees the right to opt out of the sale of personal information to third parties. The term “sale” is a broad term, and includes disclosing employee information to business partners, vendors, and contractors absent a written agreement containing specific terms restricting the third party’s use of that data, or a qualifying exemption.
In layman's terms, you, the employer, are going to be held to the same standards that your company has for their consumers' data, just this time it’s your employees' information. Also, just be aware that certain obligations are subject to change depending on action expected in the coming year from the newly constituted California Privacy Protection Agency.
What Steps Should Employers Take to Prepare?
Given the complexity of HR data and systems, as well as the sensitivity of employee data generally, it is not too early for employers to prepare for CPRA. Such efforts might include, for example (NOTE: Doesn’t have to be in any particular order, but do what order you believe makes the best sense):
Retention Policy: Develop and document a retention policy that complies with applicable employer data retention obligations. A good way to do this is to look at other retention policies that other companies have on their side as a reference on how yours should look.
Data Mapping: Understand the information that the business collects, the categorization of data (whether personal information or sensitive personal information), the location of the data, and the steps to access, correct, or delete the data. A major part of this effort should also include determining which data practices identified are subject to applicable exemptions from CPRA. You should probably include what data is required by law to have regardless if the data subject wants it erased. Legal obligations can outrank what authorization data subjects have on their personal information.
Contract Review: Reviewing partner contracts to correctly classify service providers and contractors from third parties, and that the contracts include the necessary restrictions depending on the classification. It might be good to prioritize those partners that present more risk to the company, whether due to the nature of the processing, type, or volume of data in scope. However, you might want to wait updating these contracts until there is more insight on the forthcoming CPRA regulations by the California Privacy Protection Agency (CalPPA) as to necessary terms, although the CCPA regulations are instructive. (NOTE: Having a legal team look over it will be advised if you don’t have one in-house).
Privacy Stakeholders: Determine the legal, HR, and technology support (internal resources or external technology solutions) responsible for the efforts necessary to build a privacy compliance program and respond to privacy rights requests. Adding breach reporting procedures would also be a great course of action.
Response Procedures: Develop procedures for responding to employee requests, including managing sensitive requests while maintaining personal information as confidential and accessible to internal personnel only on a need-to-know basis. (NOTE: You typically have 30 days to respond to the request unless otherwise specified depending on the local law in your area in regards to privacy rights).
While it will be good to prepare for what’s to come, be ready to make any changes that you may be required to make. That’s because anything can happen where they might tweak something or add an amendment that might make whatever you already had set up, won’t cut it. Designating someone to keep an eye on CPRA and the obligations it is setting for employers would be advised.