, ,

California Privacy Rights Act

FYI: California Privacy Rights Act - Employer Compliance

Join us for the Get Ready for 2023 (Employment Law Update Edition)! Each week we will highlight a new law coming in 2023. We’ll start with the ones that will require the most action and end with the good-to-knows. If you need assistance with executing any of these new requirements or are unsure if it is applicable to your business, we are here to help! Just Ask Us!

Employer Compliance

Protection of privacy rights has made a lot of changes on the consumer side of businesses. I’m sure we have all noticed the privacy disclosures pop up when we are just trying to buy the newest pair of Nike’s… However, it is now time for it to make its changes to the employer side of things. Specifically, with Human Resources data.

CPRA regulations will not apply to all employers. Who will it apply to?

Employers who have at least one employee in California (even if your business is not located in California). The law would only apply to employees in the state, AND at least one of the following applies:

  • Your company made over $25 million in gross revenue globally in the previous calendar year; OR
  • Your company annually collects, stores, analyzes, discloses, or processes personal information of 100,000 or more California residents or hours holds; OR
  • Your company derives at least 50% of its annual revenue from selling or sharing the personal information of California residents.

It does not apply to non-profit organizations or government organizations.

If this won’t apply to you, feel free to close this email! If it does apply, hang tight…

This is a pretty heavy lift with a lot of little caveats… if the CPRA applies to you, we recommend counsel assist you with the disclosures that are required. We provide a high-level overview of the information available, but as you all know (and as a reminder), we do not provide legal advice.

As of January 1, 2023, certain employers may need to add disclosures to their application and onboarding processes. Enforcement is set to begin on July 1, 2023.

Businesses are considered covered employers when they…

  • have at least one employee in California
  • collect information of California consumers and/or employees AND
  • have gross revenue for the previous year exceeding $25 million; buy, sell or share personal information of 100,000 or more consumers or households; OR derives 50% or more of its annual revenue from selling or sharing consumer personal information

Employee rights include: 

  • Right to know: Employees must be provided with a notice that states the personal information that the employer collects, shares, sells or discloses. This includes data it sends to third party administrators, such as benefit brokers.
  • Right to Rectify: Employees may request to correct or change the personal information their employer has on file. The employee may only change certain information with valid verification (such as a social security card). Items such as email or phone number do not need to be verified prior to change.
  • Right to Delete: Employees may request that certain personal information be deleted. We understand that certain information is required to employ someone (such as social security numbers or dependent information), and those exceptions are granted. However, if personal information is found to not be relevant or needed during the course of employment, the employee may ask that it be deleted. Personal information required to be kept for record retention purposes or other applicable laws does not need to be deleted at the employee’s request.
  • Right to Data Portability: Employees may request that a copy of their personal information be sent to them or to an authorized third party.
  • Right to Limit Use: Employees may request that disclosure and use of sensitive personal information be limited.

This law also protects against any discrimination or retaliation for employees who exercise their rights under the CPRA.

The CPRA also requires that certain notices be given at the time the data is collected (“time of collection”) and an online privacy policy. The time of collection notice must be provided at or before the time personal information is being collected from employees, applicants, contractors, etc. explaining what information is being collected, how it is being used, and how long it is being stored.

A privacy policy must also be created and available to employees that states: 

  • Categories of personal information collected during the previous 12 months;
  • Sources of the collected personal information;
  • Business or commercial purposes for collecting personal information;
  • Categories of third parties who may receive their personal information;
  • A statement that the business has not sold or shared personal information during the previous 12 months;
  • Employee’s rights under the CPRA and how to exercise those rights.

The online privacy policy should be made available to all employees and contain a retrospective view of how the company has handled personal data in the last 12 months. The notice should include the appropriate protections it is implementing to protect personal information, security procedures, sources from which they are collecting the data, business or commercial purposes for the data, the categories of third parties that the company discloses this data to (such as a benefits broker), and how employees may exercise their rights under the CPRA.

This is a lot of information and generally out of the HR realm, aside from the distribution of the disclosures. We recommend if this applies to you, you review with counsel to ensure your notices comply with the specific CPRA requirements.