Starting January 1, 2023, businesses subject to the California Privacy Rights Act (CPRA) (which amended the California Consumer Privacy Act (CCPA)) will need to reconsider their privacy practices, not just with respect to personal information of their customers, but also with regard to the information of their personnel.
As a reminder, a company doing business in California is subject to the CPRA if any of the following conditions apply:
- the company had annual gross revenues greater than $25 million in the preceding calendar year; the company collects, stores, analyzes, discloses or otherwise uses the personal information of 100,000 or more California residents or households in any given year; Where
- the company derives at least 50% of its annual revenue from selling (disclosing to a third party for monetary or other consideration) or sharing (disclosing to a third party for cross-contextual advertising) the personal information of California residents.
Note that the CPRA applies, even if the company does not have offices in California, if it meets one of the above thresholds and does business in California.
Companies subject to the CPRA must write new personnel privacy policies or update existing policies that disclose personal information they collect in the context of employment, including from employees and contractors.
Privacy policies will now need to include additional information regarding data retention periods or the criteria used to determine the periods and more detailed information regarding the types of data collected, including sensitive data. Updated privacy policies will also need to provide certain rights to employees that previously only applied to other types of consumers, such as corporate website users and/or customers, under the CCPA. .
Companies will need to determine where to post and disclose these privacy policies, as they must be available at the time of collection. Thus, companies would be well served to include privacy policies on job applications, recruitment website pages, as well as to make them readily available to existing staff in internal staff manuals and on company intranets. businesses.
Staff will have various additional rights under the CPRA:
Permission to access – Staff will be able to request access to data retained by the company as of January 1, 2022. This personal information may be stored in various places within a company, including in employee emails and chats , as well as in CVs and other personnel files. Companies will need to consider the rights of other employees and may need to redact data about them that may be included in the requesting employee’s personnel file. Businesses need to think about how to verify requests, for example via SMS or email. Third-party automated systems can be used to search and find all the data a company has.
Right to deletion – Subject to certain exceptions and legal data retention obligations, companies will need to be able to act quickly within the prescribed 45-day period (with an optional 45-day extension) to delete certain data.
Right of rectification – Staff can require companies to correct inaccurate data concerning them.
Right to restrict the use of sensitive information for certain specific purposes – Sensitive information is generally data that has a positive factor such that if accessed by an unauthorized third party, it would likely be considered a security breach under various state security breach laws . For example, sensitive information includes biometric data, social security numbers, driver’s license or passport numbers. Sensitive information also includes data more in line with European standards of what is considered sensitive, such as racial and ethnic origin, trade union membership, precise geolocation, religion and sexual orientation. Staff will have the right to restrict the use of their sensitive information to specific purposes.
Right of renunciation of the sale – With the broad definitions of sales under the CPRA, companies will need to consider whether they should offer this right and/or include links on their sites to make these opt-out requests. For example, if the company’s insurance provider can offer additional products to staff in exchange for a better insurance rate for the company, this can be considered a data sale. While the CPRA generally provides additional opt-out rights to information sharing, sharing is defined as the disclosure of personal information for cross-context behavioral advertising that would not apply in the employment context.
Companies with staff in different states should consider whether they want to offer the same rights to all staff or only to California-based staff. Other state laws may differ, further complicating the landscape and considerations.
What to do now
First, before starting to update documents, companies should have a clear picture and understanding of their data collection practices. A company should perform detailed data mapping exercises to know where their data is stored, not only to update their policies, but also to be able to properly and efficiently respond to a user’s request to access their data. .
Moving from the data mapping stage, companies will need to update their privacy policies and data retention policies and practices. Organizations may have an interest in limiting the data they keep to reduce the volume of data to be filtered in the event of a data access request. For example, a company may determine that it will no longer record chat logs or retain them for a shorter period.
Human resources departments should be involved in discussions and plans for updating policies and procedures. They will also need to undergo training to ensure they understand how to react if a consumer makes a request.
Last but not least, data protection endorsements or agreements with service providers and subcontractors should be reviewed. These contracts must include the appropriate language required by CPRA.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.