Any business with an annual gross (worldwide) revenue of over $25 million and any employees, contractors, or applicants that are California residents must have a California Employee Privacy Notice.
The California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), requires employers to notify California employees of the employment-related Personal Information (PI) that the employer collects, and how that data is used. Employers are also required to notify California job applicants of the employer’s data collection practices, so employers should make sure to provide the necessary notice in connection with any job applications that are open to California residents. Contractors and former employees are also covered.
What is a California Employee Privacy Notice?
The California Employee Privacy Notice is a critical document that outlines how a company manages the PI of its California-based employees, contractors, former employees, and job applicants—sometimes called “HR subjects.” This notice serves as a resource for informing individuals about their rights under California law regarding their personal data.
When crafting the privacy notice, some organizations opt for a unified document covering employees, contractors, and job applicants to simplify document maintenance and distribution. However, if there are substantial differences in how personal information is handled for these groups, it may be advisable to create separate notices tailored to their unique circumstances. Additionally, it’s worth noting that the law extends its reach to include business-to-business (B2B) contacts who are California residents. Importantly, the employee privacy notice should not be confused with the general privacy notice posted on the company’s website, as they serve distinct purposes.
To ensure compliance with the law, companies should make the employee privacy notice readily accessible to employees, contractors, former employees, and job applicants. This notice should be provided to HR subjects at the same time or before their personal information is collected. For instance, if potential employees submit job applications to a business in person, the business should display the notice in a place where potential employees will see it as they submit their application. For employees and contractors, it can be made available on the organization’s intranet or included in the employee handbook alongside other policies and notices. Moreover, organizations can place the notice on their website and link to it in online job application processes to ensure it is readily available to HR subjects.
The organization should be fully prepared to follow through on any assurances made about policies and procedures in the notice.
What is in the California Employee Privacy Notice?
A compliant California Employee Privacy Notice should provide the following information to California HR subjects:
- Categories of PI the employer collects
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual. Pay special attention if your company collects the PI of children under 16, as that can be risky. Both state and federal laws include significant protections for children’s privacy and impose additional obligations on organizations that collect or process children’s data.
- How the employer uses PI
Some examples may include publishing employees’ work contact information in an intra-company directory for other employees to view, disclosing applicants’ submitted PI with the HR department, or creating profiles of contractors’ performance.
- Categories of PI that the employer discloses to third parties:
- Identifiers: names, physical addresses, email addresses, etc.
- Personal Characteristics: age, gender, etc.
- Commercial Information: data subject history, property records, etc.
- Internet/Electronic Activity: browsing history, app use, device ID, etc.
- Imprecise Geolocational Information: locational information that has a radius of greater than 1,850 feet, which is slightly over 1/3 mile.
- Sensory Information: audio, visual, etc.
- Professional Information: employment history, salary, etc.
- Educational Information: grades, attendance, etc.
- Inferences: any info drawn from other pieces of PI.
- Categories of PI the employer sells or shares with third parties for targeted advertising purposes
- Targeted advertising means displaying an advertisement to an HR subject that is selected based on PI obtained or inferred over time from the HR subject’s activities across nonaffiliated websites, applications, or online services. Many organizations do not use HR subjects’ information for targeted advertising, but an example of where it could occur is creating ads on an employment-related social media platform (such as LinkedIn) directed at individuals who have previously submitted an application to your organization.
- Selling the PI of HR subjects. The law’s definition of “sell” is very broad. It refers to any exchange of PI in return for something of value. For example, sending past contractors’ personal information to another organization that may want to hire them in exchange for a list of their past contractors would be considered a “sale” under California law. “Selling” is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, an individual’s PI to a third party for monetary or other valuable consideration.
- How employees, contractors, and applicants can exercise their rights under California privacy laws:
- The rights to access, correct, or delete PI
- The right to limit the use of sensitive PI in certain circumstances
- The rights to opt out of targeted advertising and sales of PI
- The right to not receive discriminatory treatment for exercising their privacy rights
How to draft a California employee privacy notice
SixFifty can help!
SixFifty’s All-US Privacy helps organizations comply with every privacy law in the United States. Businesses can easily and effectively generate the customized legal documents written by top legal experts and required by varying privacy laws around the country. As new laws pass, we update our tools to include them so your documents are always up to date.
If you’d like to make informed decisions surrounding data privacy and ensure compliance in a rapidly changing landscape, schedule a demo with SixFifty today.