Business Law Journal

The California Privacy Rights Act (“CPRA”) had extended the exemptions through December 31, 2022, and while many expected the exemptions to be extended once more, the California legislature closed its session without passing any extension.  The legislature’s failure to agree on an extension means that on January 1, 2023, certain rights previously granted only to non-employee consumers will now apply fully to an employer’s California workforce.

Employers should assess how these new rights will impact their privacy policies and the privacy notices provided to job applicants and employees. 

How Employers Can Prepare for January 1, 2023:

• Review Current Employee Privacy Practices: Employers should reexamine their current practices and policies regarding employee privacy. This should include a review of the employee and job applicant data that it collects to ensure that all required categories of personal information collected are disclosed prior to or at the time of collection.  Policies should also be reviewed to examine whether employee monitoring is “reasonably necessary and proportionate” under the CPRA.
• Update Privacy Notices to Include Information on Rights Now Applicable to Employees: Starting January 1, 2023, employee privacy notices must inform job applicants and employees of their:

(1) right to know the types of personal information that has been collected;

(2) right to request deletion of personal information (subject to certain exceptions—for example, a business does not need to delete personal information needed to comply with a legal obligation);

(3) right to opt out of automated decision-making technology (which includes profiling employees based on automated technology);

(4) right to correct inaccurate personal information; and

(5) right to limit the sharing or selling of sensitive personal information (discussed below).

• Update Privacy Notice to Specifically Identify “Sensitive Personal Information”: The CPRA also introduces a new requirement to specifically identify “sensitive personal information” (“SPI”) collected from consumers and employees alike. SPI includes, among other things, social security numbers, drivers license numbers, racial or ethnic information, and biometric or geolocation data.  Privacy notices should be updated to specifically identify any SPI collected and, if applicable, how any SPI is sold (and, in certain instances, shared). 
• Review and Amend Data Processing Agreements with Service Providers that Process Employee Data: The CPRA requires that employers sharing personal information or sensitive personal information with service providers must ensure that the service agreements contain certain required protections and terms.  For example, the agreements must include a right to audit the service provider’s data protection. 

Is My Business a Covered Business Subject to the CCPA/CPRA?

All businesses that (1) conduct business in California for the profit or financial benefit of their shareholders or owners, (2) collect consumers’ (i.e., California residents) personal information, and (3) that meet any of the following three thresholds are a covered business that must have a privacy notice for California residents that complies with the CCPA and CPRA:

1. Has annual gross revenues in excess of $25 Million; or
2. Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 (or 100,000 after January 1, 2023) or more consumers, households, or devices; or
3. Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Covered businesses also include companies and individuals that control or are controlled by a business that satisfies the above requirements and have common branding (e.g., name, service mark, trademark, etc.) with a business that satisfies the above requirements.

Conclusion

Any employer covered by the CCPA should carefully assess their employee privacy policies, practices, and agreements to ensure compliance with the CCPA and CPRA.  If you are experiencing issues with, or have concerns over any privacy related question, please contact the authors of this article or your trusted adviser at Atkinson, Andelson, Loya, Ruud & Romo.  

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process. 
© 2022 Atkinson, Andelson, Loya, Ruud & Romo