California employer’s reprieve from obligations to employees to disclose data privacy practices and provide access rights to employees appears to be coming to an end as the California Privacy Rights Act (CPRA) becomes effective on January 1, 2023. Notably, the CPRA will eliminate the California Consumer Privacy Act’s (CCPA) exemption for employee personal information. As a result, nearly all businesses with employees who are California residents, including those non consumer facing businesses who have not previously been subject to the CCPA, will need to implement internal policies, procedures and mechanisms to ensure compliance.
Currently, the CCPA’s employee personal information exemption provides that the CCPA does not apply to the personal information of consumers who are acting as a job applicant, employee, owner, director, medical staff member, or contractor of the business collecting their information. This exemption was initially set to expire in January 2021, but the California legislature opted to extend the exemption until January 2022. The CPRA further extended the exemption through January 1, 2023. Nonetheless, though the California legislature proposed two bills that would have once again extend the exemption past January 1, 2023—one temporarily and one permanently—on August 31, 2022, California’s legislative session ended without enacting either of these bills.
The end of the exemption means that when the CPRA comes into effect, all of the CPRA’s requirements with respect to a business’ handling of consumer personal information will apply to employee personal information. This includes requirements that are currently in effect under the CCPA as well as the new requirements added under the CPRA.
It is important to note the CPRA applies only to employees that are California residents, based on the definition of consumer. Businesses with a presence in multiple jurisdictions in the United States can consider applying a uniform approach, but should keep in mind employment laws in those other jurisdictions and any applicable data privacy laws in other jurisdictions. Notably, recent comprehensive data privacy laws passed in Virginia, Colorado, Utah and Connecticut exempt personal data collected in the context of employment.
Requirements Businesses Should be Prepared to Implement for Employee Personal Information in 2023
- Notice at Collection: Currently under the CCPA, businesses are required to provide employees and job applicants a notice at collection explaining the types of personal information collected and the purposes for which such information will be used. Businesses should update these notices with the additional required disclosures, including information about rights, retention periods, and personal information disclosed by employers (for example, to service providers). This notice will take a similar form to privacy notices posted online for consumers, but should be tailored toward employee personal information.
- Responding to Employee Requests to Exercise Rights: The CPRA grants to employees the same rights consumers currently enjoy under the CCPA (including the right to know, the right to delete, the right to non-discrimination for exercising rights, and the right to opt-out of the sale of personal information, as applicable). Additionally, the CPRA also adds consumer rights like the right to correct inaccuracies in personal information collected, the right to opt-out of sharing1 personal information, and the right to limit the use and disclosure of sensitive personal information. Businesses should establish methods for employees to exercise these rights and develop internal processes for verifying and responding to such requests. An important piece of developing these processes will include data mapping specific to employee personal information. Businesses need to understand what information is collected and where it is stored in order to respond to requests within the required timeframe. Additionally, businesses must train appropriate personnel to respond to employee rights requests, including understanding when denying a request pursuant to an exception may be appropriate.
- Contracts with Service Providers: Businesses should review agreements in place with any vendors that handle employee personal information to ensure they include the CPRA’s required clauses. The CPRA includes specific requirements for contracts that are required to designate a party as a service provider or contractor to a business, like prohibiting any onwards sale or sharing of personal information. Businesses should ensure that vendor contracts satisfy these service provider or contractor designation requirements to avoid any potential (but unlikely) challenges to disclosures as a “sale” or “sharing” of information under the CPRA.
- Requirements Based on Forthcoming Regulations: The California Privacy Protection Agency (CPPA), the agency established by the CPRA responsible for enforcement and rule-promulgation, is expected to publish its final implementing regulations for the CPRA later this year. Regulations will include requirements for certain businesses to perform cybersecurity audits and risk assessments and implement rights to access and opt-out with respect to a business’ use of automated decision-making technology. These obligations will likely apply both to employee personal information and consumer information.
Practical Considerations for Employers
Implementing these requirements in practice will require many businesses to navigate unfamiliar territory with limited regulatory guidance to date. Below we outline scenarios that employers may face along with relevant compliance considerations.
- Onboarding and Collection of Sensitive Personal Information: When onboarding new hires, businesses will have to take into account new requirements under the CPRA relating to the collection and processing of employee personal information. In particular, businesses should consider the new requirement under the CPRA giving consumers (and in this case employees) the right to limit the use and disclosure of sensitive personal information. The CPRA’s definition of sensitive information includes identifiers such as social security number, driver’s license number or passport number; a consumer’s financial account credentials; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email, mail, or text messages unless the business is the intended recipient; consumer’s genetic data; processing of biometric information for the purpose of uniquely identifying a consumer; health related personal information; and personal information concerning a consumer’s sex life or sexual orientation. Typically, employers collect information that would be considered sensitive personal information including financial and demographic information or health or biometric information for general HR purposes such as payroll, administration of benefits, and timekeeping. Importantly, per CPRA §1798.121(d), sensitive information collected or processed, “without the purpose of inferring characteristics about a consumer,” is not considered sensitive personal information and will instead be treated as personal information under the statute. This language suggests that many of the general HR purposes for collection of sensitive personal information would have that information treated as personal information and it would therefore not fall within the scope of the new right. However, businesses should carefully assess the types of personal or sensitive personal information collected from employees and the purposes for its collection to assess if they are required to provide employees a right to limit use or disclosure of sensitive personal information.
- Hiring Procedures and Employee Review: In March 2022, the California Attorney General published a brief legal opinion stating that under the CCPA, “a consumer has the right to know internally generated inferences about that consumer” unless a statutory exception applies. With no additional guidance, because the right to know includes internally generated inferences, businesses will need to be conscious of the way they conduct the hiring process and internal reviews of employees as the relevant consumer may be able to request access to this information under the CPRA.
- Employee Communications: The normal course of business typically includes internal communications by or about employees that could contain personal information as defined in the CPRA. Additionally, as stated above, the CPRA includes “the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication” in its definition of sensitive personal information. Businesses can likely argue that contents of communications by the employee are not collected for the purposes of inferring characteristics about that person and so should not be considered sensitive personal information. Even assuming businesses can consider the content of these communications as personal information rather than sensitive personal information, employees would still have the ability to exercise other rights such as the right to know or delete. Employees could also, in theory, exercise these rights with respect to communications that contain personal information about them. With the current lack of guidance on the applicability of these rights in this context, businesses will need to closely review the purposes for which personal information may be used or stored in internal communications and consider any potential exceptions that might apply should an employee attempt to exercise their rights.
- Post-Employment: Businesses that retain personal information of former employees or job applicants will be required to respond to requests regarding this personal information. Businesses should consider establishing methods by which these individuals may make these requests. Businesses should also ensure these requests do not create a conflict with any applicable employee data retention laws.
In light of the California legislature’s failure to extend the employee personal information exemption, businesses will need to be prepared to comply with relevant CPRA requirements. As described above, this will include both adjusting existing CCPA compliance mechanisms to accommodate employee personal information and establishing new processes to satisfy new requirements under the CPRA. As January is rapidly approaching, businesses should begin reviewing their compliance obligations as soon as possible. We will continue to provide updates and analysis of the detailed requirements under the CPRA and its forthcoming regulations, along with other upcoming data privacy legislation.
1 Under the CPRA, “sharing” is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”