November 22, 2022
As the California Privacy Rights Act (CPRA) replaces its predecessor, the California Consumer Privacy Act (CCPA), on January 1, 2023, retailers are facing a significant amount of compliance readiness, and this is in full season. The CCPA has temporarily exempted employment and business information until the effective date of the CPRA. It was widely expected that the same exemption would carry over to CPRA. However, the California legislative session closed on August 31, 2022, without codifying the employee or business exemption.
Retailers doing business in the State of California who meet one or more of the following criteria should quickly determine how the new law will affect their employees, applicants, and independent contractors:
- As of January 1 of the calendar year, the company had exceeded $25 million in annual gross revenue in the previous calendar year.
- The company buys, sells or shares the personal information (PI) of more than 100,000 California households or consumers.
- The company derives 50% or more of its revenue from sharing or selling IP.
CPRA requires covered employers to limit the collection, use, retention and sharing of an employee’s personal information within certain parameters. The law requires employers to provide new notices or obtain an employee’s express consent before collecting, using, maintaining or sharing personal information outside of certain exceptions. It also grants employees important new rights, including:
- Erasure. Request deletion of PI collected from the individual.
- Correction. Request a correction of inaccurate PI.
- The right to know. Right to know how the employer collects and processes the individual’s personal data and how to receive copies of specific data (eg access to own data).
In many ways, the right to deletion is a bit of window dressing; most requests may be denied due to an employer’s obligation to retain the data to comply with federal or state laws or where deletion would prevent the company from exercising or defending legal claims. However, responding to right to information requests and providing access to personal information will be of considerable benefit to employers.
CPRA imposes significant new obligations on Covered Employers, including requirements related to data retention, data minimization and purpose limitation. Employers should also forward deletion requests to service providers, contractors and third parties to whom they have sold or shared information. The law provides additional provisions that companies must include in their contracts with service providers, contractors and other third parties. Regulations issued under the act are likely to increase auditing requirements, such as conducting cybersecurity audits on an annual basis and providing the California Privacy Protection Agency (CPPA) with regular risk assessments .
It is possible that the law will be changed or a grace period extended before the application deadline of July 1, 2023. However, employers are advised to take action while there is sufficient time to to prepare. While most affected retailers have undertaken significant planning with respect to consumer data, here are the top 10 steps to take to obtain employment information.
- Data card. It is impossible to respond to access and deletion requests from data subjects if an employer is unsure of the categories of personal information and sensitive information it collects from applicants, employees or contractors. independent; how they use this information; and where the information is stored. Many retailers initially started, then abandoned, mapping employee information when the CCPA started, so existing data maps, if any, are likely outdated. In a retail environment, it is quite common for employee data to be stored across the enterprise, with pockets of data in offsite storage, store-specific or department-specific human resources (HR) centers. distribution, head office and various human resource information systems (HRIS). It will take time and effort to interview key stakeholders to ensure that all data is captured correctly. For many retailers, their employees are also often consumers. In most cases, it is recommended to differentiate employee data from consumer data.
- Determine if the data is in scope. Once the employer has mapped all of the data, they must categorize that data as either “employment-related professional information,” which falls within the scope of ACRP, or as “corporate” data, which are not considered personal employee information. In some cases, this decision may also require updating company policies regarding acceptable use of email, mobile devices, manuals, and other data-bearing entities. This is also a good time to re-evaluate the company’s document retention policies.
- Determine if IP is sold or shared. Assess whether there is “selling” or “sharing” of IP to third-party vendors, such as benefits consultants. In the context of employment, there are rarely true “sales”, as in the exchange of data for money. Nevertheless, employers should carefully analyze whether the information is otherwise rented, published, disclosed, broadcast, made available or otherwise transferred to a third party for money or valuable consideration. CPRA defines “sharing” as the transfer or making available of IP “by the company to a third party for cross-contextual behavioral advertising, whether or not for compensation or other consideration of value.” Although “sharing” is unlikely to occur in an employment context, if information is exchanged for valuable consideration, such as administrative fee rebates or free pilot benefit programs, employers may need to assess whether employees should have the right to opt out of the program. transfer of their information to the seller.
- Assess sensitive use of IPs. Determine what “sensitive” personal information is collected, assess how it is used, and determine if proper notice and the ability to limit disclosure is required. Sensitive personal information includes information such as an individual’s government identification (driver’s license, passport numbers, national identity card and social security numbers); precise geolocation; ethnic or racial origins; biometric and genetic data; union membership; religious or philosophical beliefs; the content of private communications (text, mail, or email) when the Company is not the intended recipient of such communications; and information about sexual orientation, sex life or health. From an employment perspective, diversity, equity and inclusion data and some geolocation data can be potentially problematic. Careful consideration is required to determine whether the employer infers characteristics of the employee based on the information. If so, special rules apply.
- Determine whether the rights will be limited to California residents. Limiting data subject rights for California residents may raise employee relations issues, as team members may raise concerns about the collection and use of their personal information on a perceived unfair basis. . This can be particularly problematic for retailers facing a historic wave of union organizing drives.
- Update privacy notices. This is a reminder to be mindful of terminology here, as applicants and independent contractors are covered by the scope of the CPRA, but they are not employees. Co-employment claims can arise if companies refer to all groups as “employees”. Consider having separate privacy notices for applicants and independent contractors.
- Collection update notice. Privacy notices are designed to be forward-looking in nature, describing why the company collects personal information and what it may do with it in the future. A notice of collection is a bit different and must be provided when the data is actually requested from the employee to present sufficient information about the categories of PI to be collected at that particular time, the purposes for which they are collected or used , and whether the personal information will be sold or shared so that the individual can decide whether or not to disclose the information.
- Determine who will handle the DSARs. Consider partnering with an external provider to verify the identity of individual requesters, track requests, and respond to data subject access requests (DSARs). Internal response services may be inundated with requests if the new data subject rights are not limited to California residents. Coordination with internal human resources and legal teams will be required, as ACRP response times are typically 45 days following a request, with a one-time extension of 45 days if “reasonably necessary”. However, California Labor Code generally requires production of personnel records within 30 days and payroll records within 21 days. Ineffective coordination can lead to late filing of documents, the imposition of fines and penalties, and can open the door to potential class action risk.
- Update vendor contracts as needed. Providers that host employee information directly, such as payroll and benefits administrators, may need to respond directly to DSARs. Supplier contracts should be carefully reviewed and possibly modified to meet this responsibility.
- Be flexible. Although regulations are forthcoming, employers simply cannot wait for them to be released and expect to meet compliance deadlines. Flexibility is key, and employers will need to be nimble and possibly change course or alter their compliance strategies.