[This is the first in a series of blog posts on how businesses should prepare for the California Privacy Rights Act which will enter into force on January 1, 2023]
Although since January 1, 2020, the California Consumer Privacy Act (“CCPA”) has required covered businesses (as defined below) to provide notice to California employees and job applicants regarding the types of personal information that a business collects, certain key employee exemptions previously limited the privacy-related requirements for employers and corresponding rights of employees and job applicants. However, those exemptions are set to expire on January 1, 2023.
The California Privacy Rights Act (“CPRA”) had extended the exemptions through December 31, 2022, and while many expected the exemptions to be extended once more, the California legislature closed its session without passing any extension. The legislature’s failure to agree on an extension means that on January 1, 2023, certain rights previously granted only to non-employee consumers will now apply fully to an employer’s California workforce.
Employers should assess how these new rights will impact their privacy policies and the privacy notices provided to job applicants and employees.
How Employers Can Prepare for January 1, 2023:
- Review Current Employee Privacy Practices: Employers should reexamine their current practices and policies regarding employee privacy. This should include a review of the employee and job applicant data that it collects to ensure that all required categories of personal information collected are disclosed prior to or at the time of collection. Policies should also be reviewed to examine whether employee monitoring is “reasonably necessary and proportionate” under the CPRA.
- Update Privacy Notices to Include Information on Rights Now Applicable to Employees: Starting January 1, 2023, employee privacy notices must inform job applicants and employees of their:
(1) right to know the types of personal information that has been collected;
(2) right to request deletion of personal information (subject to certain exceptions—for example, a business does not need to delete personal information needed to comply with a legal obligation);
(3) right to opt out of automated decision-making technology (which includes profiling employees based on automated technology);
(4) right to correct inaccurate personal information; and
(5) right to limit the sharing or selling of sensitive personal information (discussed below).
- Update Privacy Notice to Specifically Identify “Sensitive Personal Information”: The CPRA also introduces a new requirement to specifically identify “sensitive personal information” (“SPI”) collected from consumers and employees alike. SPI includes, among other things, social security numbers, drivers license numbers, racial or ethnic information, and biometric or geolocation data. Privacy notices should be updated to specifically identify any SPI collected and, if applicable, how any SPI is sold (and, in certain instances, shared).
- Review and Amend Data Processing Agreements with Service Providers that Process Employee Data: The CPRA requires that employers sharing personal information or sensitive personal information with service providers must ensure that the service agreements contain certain required protections and terms. For example, the agreements must include a right to audit the service provider’s data protection.
Is My Business a Covered Business Subject to the CCPA/CPRA?
All businesses that (1) conduct business in California for the profit or financial benefit of their shareholders or owners, (2) collect consumers’ (i.e., California residents) personal information, and (3) that meet any of the following three thresholds are a covered business that must have a privacy notice for California residents that complies with the CCPA and CPRA:
- Has annual gross revenues in excess of $25 Million; or
- Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 (or 100,000 after January 1, 2023) or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Covered businesses also include companies and individuals that control or are controlled by a business that satisfies the above requirements and have common branding (e.g., name, service mark, trademark, etc.) with a business that satisfies the above requirements.
Conclusion
Any employer covered by the CCPA should carefully assess their employee privacy policies, practices, and agreements to ensure compliance with the CCPA and CPRA. If you are experiencing issues with, or have concerns over any privacy related question, please contact the authors of this article or your trusted adviser at Atkinson, Andelson, Loya, Ruud & Romo.
This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2022 Atkinson, Andelson, Loya, Ruud & Romo
- Of Counsel
Christopher Francis is a seasoned litigator who focuses his practice on representing clients in complex domestic and international litigation cases. His practice includes investigating and defending allegations of Foreign ...
- Partner
Brian Wheeler is Chair of the firm’s Commercial and Complex Litigation Practice Group. He also leads the firm’s Intellectual Property and Data Privacy practices within the Practice Group, overseeing AALRR’s team of ...
Other AALRR Blogs
Recent Posts
- Alert: FinCEN Announces Limited Extensions to Corporate Transparency Act Reporting Deadlines
- Court of Appeal Sheds Light On The Rights Of Limited Liability Companies And Its Members
- Dueling OpenAI Copyright Cases to Remain Separate, Parallel Actions on Both Coasts
- Section 16600 and the Fate of Trade Secret Exception
- The Contract Is In The Details
- Teaming With Our Clients – California Adopts “Initial Disclosures” in State Court Civil Litigation
- Recent Court of Appeal Decision Shows The Limits Of Exculpatory Clauses In Commercial Leases, Including Limitation of Damages Provisions
- Understanding Deceptive California Statement of Information Scams
- Closing of Pre-Hearing Discovery Loopholes in Arbitration
- International Enforcement of U.S. Trademarks: Simplicity for Complexity’s Sake
Popular Categories
- (26)
- (24)
- (1)
- (15)
- (4)
- (4)
- (2)
- (3)
- (3)
- (2)
- (2)
- (5)
- (2)
- (4)
- (5)
- (4)
- (1)
- (1)
- (3)
- (2)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
Contributors
- Cindy Strom Arellano
- Reece C. Bennett
- Eduardo A. Carvajal
- Michele L. Collender
- Scott K. Dauscher
- Christopher M. Francis
- Evan J. Gautier
- Carol A. Gefis
- Edward C. Ho
- Micah R. Jacobs
- John E. James
- Jonathan Judge
- David Kang
- Jeannie Y. Kang
- Joseph K. Lee
- Shawn M. Ogle
- Kenneth L. Perkins, Jr.
- Jon M. Setoguchi
- Jon Ustundag
- Brian M. Wheeler