November 26, 2022

Volume XII, Number 330

Advertisement

November 23, 2022

Subscribe to Latest Legal News and Analysis

CPRA and Employee Data – What Businesses Need to Know

The California Privacy Rights Act (“CPRA”) comes into force on January 1, 2023, and will amend and extend the privacy rights under the California Consumer Privacy Act (“CCPA”).  Assuming no further applicable extensions or amendments are passed, the CPRA will eliminate the CCPA’s exemptions that apply to employee data and businesses subject to the CPRA will have to comply with obligations with respect to the processing of employee data.

What Is the Current Situation Under CCPA?

Currently, the CCPA provides employers with limited exemptions with respect to employment related personal information, when that personal information is collected and solely used in connection with the individual’s role as an employee or job applicant, dependent, beneficiary, independent contractor or owner.  Specifically, the CCPA does not extend certain consumer rights, including the right to access or delete personal information, to employees.  Note, however, that the CCPA does not provide a blanket exemption for employment related data, and employers are still required to adequately safeguard the personal information they collect, and provide notice of processing (at or before the point of collecting the personal information) to the applicable individual.

What Are the New Obligations and Rights Related to Employee Data under CPRA?

(1) Employers must prepare and provide a privacy notice to an employee and/or job applicant at or before the time personal information is collected.

  • This notice must include: (a) the categories of sensitive personal information, (b) whether that sensitive personal information is sold or shared and (c) the length of time the employer intends to retain each category of sensitive personal information.

  • If an employer allows a third party to collect personal information on its behalf, the CPRA requires that the third-party collector provides notice at collection.

  • Along with providing notice that includes the consumer’s rights, who is collecting the data, and how and for what purpose is such data being collected, sold, used or shared, an employer must also include the categories of all third parties that the employer discloses to or allows to collect consumer’s personal information.

(2) Unless they can rely on an exemption, employers must honor consumer requests, such as the right to delete, know, correct, access, data portability, non-discrimination, limit the use and disclosure of sensitive personal information and the right to opt-out of both the sale and sharing of personal information.

(3) Businesses must safeguard personal information against unauthorized disclosures and provide employees with the right to limit the use and disclosure of sensitive information.

(4) Finally, a business must enter into a Data Processing Agreement (“DPA”) with its vendors (i.e., any service provider, contractor or other third parties that may have access to its personal information).  This requirement applies regardless of the types of personal information processed (i.e., employment related or otherwise). The DPA must also include the following provisions:

  • Identify the limited and specific business purposes and services for which the vendor will process personal information as set forth within the contract.

  • Prohibit retaining, using or disclosing personal information for any purpose other than those specified in the contract.

  • Prohibit retaining, using or disclosing the personal information received for any commercial purpose other than the business purposes specified in the contract.

  • Prohibit retaining, using or disclosing the personal information outside of its direct relationship between the vendor and the business and prohibit retaining, using or disclosing the personal information for any purposes other than the business purposes specified in the contact.

  • Require that the vendors will comply with the applicable obligations under the CPRA and provide the same level of privacy protection as required. 

  • A requirement to notify the business if the vendor can no longer comply with the obligations under the CPRA.

  • Grant the business the right to take reasonable and appropriate steps to ensure that the vendor uses the personal information in a manner consistent with the business’s obligations under the CPRA.

  • Grant the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

  • Require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with, and provide the information necessary for the service provider or contractor to comply with the request.

Note that in addition to the requirements listed above, a business must include the following provisions:

  • Prohibit the sale and sharing of personal information.

  • Require notification of any sub-processors engaged and mandate that the sub-processors be contractually bound to the same processing obligations.

Businesses are also required to conduct due diligence assessments, such as audits, on their vendors to ensure that they can process personal information in compliance with the CPRA.

What Should Employers Be Doing to Get Ready for CPRA?

  • Understand the employment related personal information that your business processes, by undertaking a data inventory/data mapping exercise.

  • Understand the rights and exceptions provided to California consumers and your business requirements under each consumer right under the CPRA.

  • Ensure that your business is providing its employees, etc., with a notice at or before the time of collection of personal information, and that such notice meets the requirements of the CPRA.

  • Ensure that DPAs are in place with all vendors, including those which process employment-related personal information.

  • Consider developing privacy impact and cyber security assessment programs to understand and remediate privacy and security compliance gaps.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XII, Number 242
Advertisement
Advertisement
Advertisement

About this Author

Shareholder

Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

303.583.8228
Christina Hernandez-Torres Associate Attorney Privacy Data Protection Technology Law Polsinelli LLP Law Firm
Associate

Christina Hernandez-Torres is committed to understanding how privacy, data security and technology impact each client’s business model, practices and objectives to help protect their investment in various technologies. She regularly advises domestic and international clients on breach response issues and compliance with state, federal and international data protection laws. Additionally, she advises on identifying, evaluating and managing first- and third-party data privacy and security risks. Christina has experience handling compliance matters related to the California...

312-463-6304
Advertisement
Advertisement
Advertisement