The California Privacy Rights Act will go into full effect on January 1. The CPRA is commonly referred to as a “new” act, but is actually an add-on/modification to the California Consumer Privacy Act of 2018, which has been in force since January 1, 2020. Like the CCPA, the CPRA covers only California “consumers” (roughly any individual who resides in California on anything other than a temporary basis). A covered “business” under the CPRA is defined as a for-profit entity that collects personal information from a California consumer and also meets at least one of three threshold requirements: (1) earns $25M in annual revenue, (2) processes the data of at least 100,000 California consumers annually (this was previously 50,000 under the CCPA), and/or (3) derives at least 50 percent of its revenue by selling or sharing personal information.
One interesting aspect of the CCPA was that job applicants, employees, owners, officers, directors, and medical staff members of a business (collectively, “employees”) had been exempted, for the most part, from its mandates. The CCPA did, however, provide two entitlements to such employees: 1) a right to be informed of the type of data collected from them and the reasons for collecting it, and 2) a private right of action against the business in the event of a data breach where it was determined that “reasonable security procedures” were not in place.
Unfortunately for businesses, those exemptions will disappear when the CPRA kicks in on January 1. Businesses will now need to make sure that employees, as well as business-to-business contacts, are afforded all remaining rights and entitlements under the CCPA that “ordinary” consumers have received. And the CPRA provides many new rights to all.
Here are the existing CCPA consumer rights that will now also apply to employees under the CPRA:
Right to delete information
The CPRA allows employees to request the deletion of their personal information held by the employer. The employer is then bound to provide a formal response within 10 business days and accomplish the deletion within 45 days (with the possibility of a second 45-day period). This new employee deletion right can cause a business consternation for obvious reasons. For one, a business has many legal requirements to retain certain employee data. There may also be confidential disciplinary files, as well as legal document retention requirements. Fortunately, the CPRA does take this into consideration and provides exceptions, including an exception if retention of the information is “reasonably necessary for the business” or necessary “in order to comply with a legal obligation.” An employer must therefore understand and assess all federal, state and local requirements, including those set forth in the California Electronic Communications Privacy Act, the Fair Labor Standards Act, and the Family Medical Leave Act.
Right to opt out of the sale (and now sharing) of personal information
Under the CCPA, consumers had the right to opt out of the sale of their personal information. A “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party” for monetary or other valuable consideration. This has been very broadly interpreted and can include many arrangements that would not otherwise look like a sale. For example, if a business provides personal information to a third party in order to receive a discount or “free” business analytics, that would be a “sale.”
The CPRA defines “sharing” in the same manner as a “sale,” with one addition: when the personal information is provided to a third party for the purpose of cross-context behavioral advertising. Cross-context behavioral advertising is defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
Whether data is “sold” or “shared,” a consumer, including an employee, must be provided the right to opt out through a “Do Not Sell/Share my Personal Information” link. Since employers collect so much data, including browser information and even cell phone numbers, they have their work cut out for them.
Here are some of the new rights that will apply to every consumer, including employees:
Sensitive personal information
Although the CCPA had a broad definition of “personal information” – in short, any information that can be used to identify a particular individual – the CPRA takes it one step further. Following in the footsteps of the European Union’s General Data Protection Regulation, this new class of protected information includes, but is not limited to, a Social Security number, driver’s license number, passport number, account log-in name and password, geolocation data, racial or ethnic origin, religious or philosophical belief, union membership, the contents of mail, email or a text message, genetic data, the processing of biometric information for the purpose of identifying an individual, or sexual orientation or preference.
Sensitive data has a greater potential for harm if disclosed. For example, disclosure of an individual’s sexuality may lead to discrimination; financial information may increase the harm resulting from a data breach. For these reasons, the categories of sensitive information collected, as well the business’s reasons for its collection, must now also be disclosed through the Notice at Collection at or before the time it is obtained, as well as in the business’s Privacy Policy.
Moreover, when a business collects sensitive personal information for the purposes of “inferring characteristics” about a consumer, it may do so only to provide the goods or services requested by the consumer and as expressly disclosed to the consumer. How this plays out when it comes to employees remains to be seen.
In any event, if a business chooses to use or disclose sensitive information for any purpose other than what it was specifically collected for, or for inferring a consumer’s characteristics, it must so state and provide the consumer with the right to opt out of such use through a mechanism entitled “Limit the Use of My Sensitive Personal Information.” For Sensitive Personal Information that is not used for inferring a consumer’s characteristics, an opt-out is not required. It may, nonetheless, be a best practice to provide one.
Businesses need to think long and hard about the sensitive information they collect from their employees and its use. For example, do they use this information to provide health, counseling, or financial services to the employee? Do they use it for diversity and inclusion efforts? Do they use it for predictive analytics? If so, businesses will need to consider whether to provide an opt-out. Under some circumstances, however, such use would arguably be “reasonably expected by an average” consumer (or employee), which is an exemption, and therefore an opt-out may not be necessary. It is important to note that the CPRA also provides an exemption from the disclosure and opt-out requirements if the sensitive information is “publicly available.” However, that is narrowly defined. And the exemption does not apply to biometric information obtained without the consumer’s knowledge.
Right to correct
Like the GDPR, the CPRA now provides the opportunity to correct any personal data held by the business that the consumer believes is inaccurate. Employees may ask an employer to correct certain personal information, so employers will have to develop policies with regard to what they can and cannot change. This may be difficult when it comes to things like complaints and investigations.
Automated decision making
Similar to the protections provided to consumers regarding sensitive personal information, under the CPRA consumers, including employees, will also have the right to access a business’s automated decision-making technology. Many businesses use this technology to profile employees based on their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Though the parameters of the right to opt out of the use of such technology have yet to be defined by the California Privacy Protection Agency, this is something businesses must start seriously thinking about, especially when it comes to their employees. As with the use of sensitive information, an opt-out link must be provided.
Retention policy
The CPRA now requires that businesses inform a consumer, and therefore an employee, of the time period that they intend to retain each category of personal, and sensitive personal, information they collect. If it’s not possible to do so, then they must provide the criteria used to determine the time period. In no event can a business retain personal information for any longer than is reasonably necessary for the disclosed purpose for which the information was collected. This must be clearly laid out in the Privacy Policy.
Removal of 30-day window to cure
The CCPA provided a business the opportunity to cure any non-compliance within 30 days after receiving formal notice. That has been eliminated in the CPRA. Although individuals making requests to cure a non-compliance with CCPA/CPRA regulations have only limited private rights of action (data breach after failure to use reasonable security procedures), the State Attorney General does not. Witness the recent $1.2M fine leveled by the California Attorney General against Sephora, Inc., for inadequate disclosures and failure to honor global opt-out signals after repeated unsuccessful requests to cure the deficiencies. And now fines can technically be issued without warning or an opportunity to cure.
Conclusion
Of course there is more, but in short, since so much personal information is typically collected from employees, an employer must conduct serious data mapping concerning the employee information it obtains and processes. An Employee Privacy Policy, customized for the employer, and a Notice at Collection, are best practices. And don’t forget – a business will need to do the same for all business contacts it maintains as the CPRA now brings business-to-business contacts into its fold. It’s best to consult an expert!