January 22, 2022

Volume XII, Number 22

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis

Prop 24 (California Privacy Rights Act) Extends CCPA’s Anti-Discrimination/Retaliation Provision to Employees, Applicants, and Independent Contractors.

During the California Consumer Privacy Act’s (“CCPA”) amendment process prior to enactment, personal information in the employment context was highly contested and has continued to be a point of deliberation even after the CCPA’s effective date last January 1, 2020.  CCPA excludes certain employment-related personal information from most of the act’s requirements until January 1, 2021. This exemption was extended by the California Privacy Rights Act (“CPRA”) (a ballot measure supported last week by a strong majority of  California voters) until January 1, 2023.[1]

Under CCPA, unlike consumers generally, employees, applicants, and independent contractors may not request: the deletion of their personal information; to opt-out of the sale of their personal information; or information concerning the categories of personal information collected, the sources from which personal information is collected, the purpose for collecting or selling personal information; or the categories of third parties with whom the business shares their personal information.  Additionally, prior to CPRA, employees, applicants, and independent contractors, did not have anti-discrimination/retaliation rights under the law.

Anti-Discrimination/Retaliation Provision

The CPRA expands the existing anti-discrimination rights to employees, applicants, and independent contractors.  Section 1798.125 (a)(1)(E) states that “[a] business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights…including…retaliating against employee, application for employment, or independent contractor…”

Thus, although employees, applicants and independent contractors are temporarily excluded from most of the CCPA’s protections, two areas of compliance presently remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for a subset of personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

In light of the expansion of this provision, employers now cannot discriminate and/or retaliate against employees, applicants, and independent contractors exercising their rights to: i) receive a notice at collection concerning their personal information , and ii) file a private right to action following a data breach involving their personal information caused by the failure of the employer to maintain reasonable safeguards.  Additionally, if CPRA is not amended to extend the exemption beyond December 31, 2022, employees, applicants and independent contractors will receive full rights under the CCPA.  If so, on and after January 1, 2023, employers subject to the CCPA will not be able to discriminate against their California employees if  they decide to exercise their right to know, right to delete, right to opt-out, as well as the new CPRA rights – to restrict disclosures and to correct personal information.

We will continue to update the status of the CPRA, its enforcement and any amendments to its current version.


[1] Prior to the passage of Prop 24 (CPRA), Governor Gavin Newsom signed AB1281 extending the exemption until January 1, 2022.

Jackson Lewis P.C. © 2022National Law Review, Volume X, Number 318
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Jerel Pacis Agatep Employment Lawyer SF California Jackson Lewis
Associate

Jerel Pacis Agatep is an Associate in the San Francisco, California, office of Jackson Lewis P.C. His practice focuses on representing employers in workplace law matters, including preventive advice and counseling. He is also an active member of the firm's Privacy, Data and Cybersecurity Practice Group, and currently helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the...

415-394-9400
Advertisement
Advertisement
Advertisement