[This is the first in a series of blog posts on how businesses should prepare for the California Privacy Rights Act which will enter into force on January 1, 2023]
Although since January 1, 2020, the California Consumer Privacy Act (“CCPA”) has required covered businesses (as defined below) to provide notice to California employees and job applicants regarding the types of personal information that a business collects, certain key employee exemptions previously limited the privacy-related requirements for employers and corresponding rights of employees and job applicants. However, those exemptions are set to expire on January 1, 2023.
The California Privacy Rights Act (“CPRA”) had extended the exemptions through December 31, 2022, and while many expected the exemptions to be extended once more, the California legislature closed its session without passing any extension. The legislature’s failure to agree on an extension means that on January 1, 2023, certain rights previously granted only to non-employee consumers will now apply fully to an employer’s California workforce.
Employers should assess how these new rights will impact their privacy policies and the privacy notices provided to job applicants and employees.
How Employers Can Prepare for January 1, 2023:
- Review Current Employee Privacy Practices: Employers should reexamine their current practices and policies regarding employee privacy. This should include a review of the employee and job applicant data that it collects to ensure that all required categories of personal information collected are disclosed prior to or at the time of collection. Policies should also be reviewed to examine whether employee monitoring is “reasonably necessary and proportionate” under the CPRA.
- Update Privacy Notices to Include Information on Rights Now Applicable to Employees: Starting January 1, 2023, employee privacy notices must inform job applicants and employees of their:
(1) right to know the types of personal information that has been collected;
(2) right to request deletion of personal information (subject to certain exceptions—for example, a business does not need to delete personal information needed to comply with a legal obligation);
(3) right to opt out of automated decision-making technology (which includes profiling employees based on automated technology);
(4) right to correct inaccurate personal information; and
(5) right to limit the sharing or selling of sensitive personal information (discussed below).
- Update Privacy Notice to Specifically Identify “Sensitive Personal Information”: The CPRA also introduces a new requirement to specifically identify “sensitive personal information” (“SPI”) collected from consumers and employees alike. SPI includes, among other things, social security numbers, drivers license numbers, racial or ethnic information, and biometric or geolocation data. Privacy notices should be updated to specifically identify any SPI collected and, if applicable, how any SPI is sold (and, in certain instances, shared).
- Review and Amend Data Processing Agreements with Service Providers that Process Employee Data: The CPRA requires that employers sharing personal information or sensitive personal information with service providers must ensure that the service agreements contain certain required protections and terms. For example, the agreements must include a right to audit the service provider’s data protection.
Is My Business a Covered Business Subject to the CCPA/CPRA?
All businesses that (1) conduct business in California for the profit or financial benefit of their shareholders or owners, (2) collect consumers’ (i.e., California residents) personal information, and (3) that meet any of the following three thresholds are a covered business that must have a privacy notice for California residents that complies with the CCPA and CPRA:
- Has annual gross revenues in excess of $25 Million; or
- Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 (or 100,000 after January 1, 2023) or more consumers, households, or devices; or
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Covered businesses also include companies and individuals that control or are controlled by a business that satisfies the above requirements and have common branding (e.g., name, service mark, trademark, etc.) with a business that satisfies the above requirements.
Any employer covered by the CCPA should carefully assess their employee privacy policies, practices, and agreements to ensure compliance with the CCPA and CPRA. If you are experiencing issues with, or have concerns over any privacy related question, please contact the authors of this article or your trusted adviser at Atkinson, Andelson, Loya, Ruud & Romo.
This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2022 Atkinson, Andelson, Loya, Ruud & Romo
- Senior Associate
Christopher Francis is a seasoned litigator who focuses his practice on representing clients in complex domestic and international litigation cases. His practice includes investigating and defending allegations of Foreign ...
Brian Wheeler leads the firm’s Intellectual Property and Data Security & Privacy team. His practice focuses on intellectual property, data security and privacy, and high-stakes complex commercial litigation, water ...
Other AALRR Blogs
- Preparing For The CPRA Part 3: New Contractual Requirements For Data Transfers
- Preparing For The CPRA Part 2: Changes To Data Retention Requirements
- Preparing For The CPRA Part 1: Changes To Requirements For Employee Data
- How China’s Influx of Young Graduates May Affect Your Business Contracts
- Warning To Warehouse Operators: What To Do With Abandoned Product & Recuperating Your Losses
- California Court of Appeal Rules That The Americans With Disabilities Act Does Not Apply To A Website That Does Not Provide Goods Or Services Connected With A Physical Location
- China’s Personal Information Protection Law Does Not Excuse China-Related Party From Discovery Obligations in the United States, Northern District Says
- Reliance on Third-Party Agents Can Expose You to Substantial Liability
- California Labor Codes’ Policy Against Forum Selection Clauses Overrides Compulsory Cross-Complaint Laws
- Privacy and Data Security National Update: Increasing Federal Involvement in Data Security and Enforcement
- Christopher S. Andre
- Cindy Strom Arellano
- Eduardo A. Carvajal
- Michele L. Collender
- Scott K. Dauscher
- Lauren D. Fierro
- Christopher M. Francis
- Runmin (Ivy) Gao
- Evan J. Gautier
- Daniel C. Gavilanes
- Carol A. Gefis
- Amber S. Healy
- Edward C. Ho
- John E. James
- Jonathan Judge
- David Kang
- Neil M. Katsuyama
- Joseph K. Lee
- Damian J. Martinez
- Shawn M. Ogle
- David B. Sarfati
- Jon M. Setoguchi
- Adam P. Snyder
- Brian M. Wheeler
- December 2019
- November 2019
- October 2019
- September 2019
- August 2019
- June 2019
- May 2019
- April 2019
- March 2019