What California businesses need to know about employee data

The California Privacy Rights Act (“CPRA”) takes effect on January 1, 2023 and will amend and expand the privacy rights under the California Consumer Privacy Act (“CCPA”). Assuming no further applicable amendments or supplements are adopted, the CPRA will eliminate the CCPA exemptions that apply to employee data, and businesses subject to the CPRA will have to comply with obligations related to the processing of employee data.

What is the current situation under the CCPA?

Currently, the CCPA provides employers with limited exemptions with respect to employment-related personal information where such personal information is collected and used only in connection with the individual’s role as an employee or job applicant, dependent, beneficiary, contractor, or independent proprietor. . Specifically, the CCPA does not extend certain consumer rights, including the right to access or delete personal information, to employees. Note, however, that the CCPA does not provide a general exemption for employment-related data, and employers are still required to adequately retain the personal information they collect and provide notice of the processing (at or before the point of collection of the personal information) to the individual applicable.

What are the new obligations and rights related to employee data under the CPRA?

(1) Employers must prepare and provide a privacy notice to an employee and/or job applicant at or before the time personal information is collected.

• This notice must include: (a) categories of sensitive personal information(b) whether that sensitive personal information is sold or divided and (c) to the length of time the employer intends to protect each category of sensitive personal information.

• If an employer allows a third party to collect personal information on its behalf, the CPRA requires the third party collector to provide notice during the collection.

• Along with providing notice that includes consumer rights, who is collecting the data, and how and for what purpose such data is collected, sold, used or shared, an employer must also include the categories of all third parties that the employer discloses to them. or allows the collection of consumer personal information.

(2) If they cannot rely on an exception, employers must respect consumer requests, such as the right to delete, know, correct, access, data portability, non-discrimination, restriction of use and disclosure of sensitive personal information and the right to opt out of both the sale and sharing of personal information.

(3) Businesses must protect personal information against unauthorized disclosure and provide employees with the right to restrict the use and disclosure of sensitive information.

(4) Finally, a business must enter into a Data Processing Agreement (“DPA”) with its vendors (ie, any service providers, contractors or other third parties who may have access to its personal information ). This requirement applies regardless of the types of personal information processed (ie, employment-related or otherwise). The DPA must also include the following provisions:

• Log in limited and specific the business purposes and services for which the seller will process the personal information as set out in the contract.

• Prohibit the retention, use or disclosure of personal information for any purpose other than those specified in the contract.

• Prohibit the retention, use or disclosure of personal information obtained for any commercial purpose other than the business purposes specified in the contract.

• Prohibit the retention, use or disclosure of personal information outside of its direct relationship between the seller and the business AND prohibit the retention, use or disclosure of personal information for purposes other than the business purposes specified in the contact.

• Require vendors to comply with applicable obligations under the CPRA and provide the same level of privacy protection as required.

• A requirement to notify the business if the seller can no longer meet its obligations under the CPRA.

• Give the business the right to take reasonable and appropriate steps to ensure that the vendor uses personal information in a manner consistent with the business’s obligations under the CPRA.

• Give the business the right to take reasonable and appropriate steps to stop and correct unauthorized use of personal information.

• Require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that it must comply with, and provide the information necessary for the service provider or contractor to comply with the request.

Note that in addition to the requirements listed above, a business must include the following provisions:

• Stop selling and sharing personal information.

• Require notification of any engaged sub-processors and mandate that sub-processors are contractually bound by the same processing obligations.

Businesses are also required to carry out due diligence assessments, such as audits, on their vendors to ensure they can process personal information in accordance with the CPRA.

What should employers do to prepare for the CPRA?

• Understand the employment-related personal information your business processes by undertaking a data inventory/data mapping exercise.

• Understand the rights and exemptions provided to California consumers and your business’s requirements under any consumer rights under the CPRA.

• Ensure that your business provides its employees, etc., with notice at or before the time of collection of personal information and that such notice meets the requirements of the CPRA.

• Ensure that DPAs are in place with all vendors, including those that process employment-related personal information.

• Consider developing privacy and cybersecurity impact assessment programs to understand and remediate privacy and security compliance gaps.