In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided businesses with initial guidance on important considerations for complying with the California Privacy Rights Act (CPRA). On January 1, 2023, California could become the first US state to enact a comprehensive privacy law for employment-related data (“B2E”), while the California Consumer Privacy Act (CCPA) currently applies only limited to employment data. As we continue to await final guidance from the California DPA, which we understand could be delayed until Q3 or Q4 2022, we continue to evaluate and provide guidance on key focus areas for businesses to consider as they develop a business Strategy for CPRA compliance for B2E.
As we reported here, California lawmakers recently proposed changes that expand the exemptions for B2E and business-to-business data, which we will continue to monitor closely. Still, companies are wise to move forward with compliance efforts assuming the exemptions expire, to ensure they can be fully compliant with the CPRA when it comes into effect.
Given the unique relationship between an employee and an employer, as well as the myriad of existing California employment laws that already cover employee rights, applying CPRA to employees will create a complicated overlap of privacy and labor laws that will force employers to carefully plan CPRA B2E strategy and implementation. In this article, we answer five frequently asked questions from companies preparing for CPRA B2E compliance.
- Does remote work affect how I determine which employees are in scope of CPRA B2E requirements?
Yes. As a first step towards compliance, employers offering remote work options should determine which members of their workforce are subject to the CPRA. As currently amended, CPRA applies only to “California residents” employees. Cal. civil. Code §1798.140(i).
This assessment is not as easy as it may have been before the pandemic. Today, that line is being blurred by the opportunity for remote work and the migration of California-based employees to states with fewer tax obligations and a lower cost of living. Employers should be aware of both remote work in today’s more flexible world and the impact it can have on employees’ residency in order to plan their organization’s CPRA implementation strategy accordingly.
While companies may consider adopting a consistent, national approach to B2E rights by respecting CPRA-like rights for all employees regardless of their residency, this approach may pose risks that should be carefully assessed and considered. For example, other states may have labor laws for workers that may conflict with CPRA rights. In addition, these non-California states may enact privacy laws that will apply to their local employees in the future. In addition, there is a risk of abuse of CPRA rights by plaintiffs’ employees, former employees and attorneys to circumvent traditional litigation disclosure procedures.
- Can employers simply extend their company’s CPRA program for California consumers to employees to be CPRA compliant?
Not quite. Existing CCPA rights for California consumers may not apply equally in the employment context, and other exceptions certainly apply when employers respond to employee requests. To avoid misapplying or misinterpreting CPRA rights in the B2E context, privacy advocates should carefully review CPRA requirements with their Human Resources or Labor Law department from an employment perspective, rather than adopting a one-size-fits-all approach.
A good example is the CPRA’s right to restrict the use and disclosure of sensitive personal information. According to the simple reading of the law, this right only applies to personal data that are marked with the “Purpose of derivation of characteristics.” §1798.121(a). Companies generally do not collect sensitive personal data with the aim of inferring characteristics of their employees; Rather, in the employment context, sensitive personal data would typically be processed to perform HR tasks, such as B. processing payroll and benefits. CPRA permits treatment of information not collected for the purpose of inferring characteristics as “Personal Information” for all sections of CPRA, including the requirement related to notification. Cal. civil. Code §1798.121(d). Unless otherwise specified in the regulations, this reduces the burden on the employer as there may not be a need to report sensitive information or to include the right to restrict the use and disclosure of sensitive personal information in the CPRA request process. Incorporating the right without proper legal scrutiny and analysis can create misunderstandings among employees about how their information is being used, which you as an employer should avoid.
As we explained in our previous blog post, before committing to their disclosure obligations or Consumers engage rights implementation to create a customized CPRA compliance program.
- The CCPA already required employers to provide notification to employees upon pickup. Is the existing CCPA notice to California employees sufficient to comply with CPRA?
- What specific new or changed rights will California employees have under CPRA?
One of the key obligations under CPRA will be to evaluate and respond in a timely manner to workers’ rights requests by granting the request or determining whether an applicable exemption applies. Employers should develop a detailed process by which workers’ rights requests are verified, accepted or partially or fully rejected and responded to.
At a minimum, California employees of all CPRA covered companies have the following rights:
- Good to know
- Right to Erasure
- Right to Correct Inaccurate Information
- Right to No Retaliation for Exercising CPRA Rights
As mentioned above, there are several legal exceptions that employers can rely on to ensure that the above rights do not interfere with the company’s legitimate need to continue processing and retaining certain employee personal data. For example, a request from an employee to delete personal information is not absolute, as an employer may retain personal information such as name, address and banking information necessary to fulfill an existing employment contract.
On the other hand, the following rights are more likely to be company specific and may not apply to employees of all companies:
- Right to Restrict Use and Disclosure of Sensitive Personal Information
- Right to Refuse Sale
- Right to Opt-Out of Sharing
- Right to information and right to object to automated decision-making
Businesses should carefully review any new or amended right under the CPRA and determine which exceptions may apply in which contexts.
- Do employers need to update supplier contracts regarding employee personal data?
Yes. Since CPRA will now also apply to all employees, employers must consider the disclosure of employee information to vendors, including service providers, contractors and third parties, in the same manner as they do for traditional consumer personal information under the CCPA and other privacy laws.
CPRA requires that agreements with third parties, service providers and contractors to whom employee personal information may be disclosed contain very specific language. The provisions should be added to both new and existing contracts and the resulting impact on business obligations will depend on what information about the employee is being shared, why the information is being shared and the role of the receiving entity.
The definition of “service provider” in the CPRA has been expanded to include new concepts related to “sale” and “sharing” and includes specific requirements for written contracts. One such requirement is, for example, to allow the employer to monitor the provider’s compliance with the contract through measures including, but not limited to, continuous manual reviews and automated scans and periodic assessments, audits or other technical and operational tests, at a minimum once every 12 months. See Cal. civil. Code §1798.140(ag).
We will continue to monitor updates regarding CPRA and its impact on B2E. Please stay tuned for future blog posts.