Although employee data was previously exempted from California privacy law under the CCPA, that exemption expires at the end of 2022. Companies who employ California residents must now be set up to comply with the employee data requirements of the CPRA, which amends the CCPA and goes into effect on January 1, 2023.
What is the CPRA?
The California Privacy Rights Act of 2020 (CPRA) significantly amends the California Consumer Privacy Act of 2018 (CCPA). It was approved by California voters in November 2020 and goes into effect on January 1, 2023. Because the CPRA was a ballot initiative, it can only be amended by the legislature to “further the purpose and intent” of the law. The California Privacy Protection Agency (CPPA) is the governing body that implements and enforces the law.
The CPRA applies to businesses that meet any of these three thresholds:
- $25M annual revenue;
- 100,000 California residents’ personal information; or
- 50% of revenue from the sale or sharing of personal information.
Personal information (PI) is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual.
The CPRA provides Californians with:
- The right to notice about how PI is collected and used
- Rights to access, delete, and correct PI, and to limit the use of sensitive PI
- The right to opt out of sales and ”sharing” (aka targeted advertising) of PI
- The right to opt out from profiling/use of automated decision-making (coming soon via regulations)
The law also requires companies to complete risk assessments for certain higher-risk uses of PI.
Not just consumers anymore!
The CCPA was written for the protection of California consumers, and it exempted anyone who wasn’t acting in a business context. The CPRA now also covers company employees, owners, directors, officers, and contractors as well as job applicants and B2B contacts. This means that the privacy rights that companies are required to provide for their consumers must also be given to their employees.
When companies process personal information, a privacy notice must be given to California consumers—and now to California employees as well. These notices must include the following information about the data the company collects:
- The categories of data being processed
- The purposes of processing the data
- The retention period of keeping the data
- Whether the collected data is sensitive
- Whether the data is being sold or shared with third parties and if so, what type of third party
- Whether the data is processed for targeted advertising or profiling
- Whether the company is offering financial incentives to process the data
The notice must also explain the consumer’s or employee’s rights and how to exercise them.
If you’re thinking that having one notice for both consumers and employees is sufficient, think again! Because employers are required to collect sensitive information from their employees like their social security number and government ID, one general notice will not cover the nuanced disclosure requirements for employee data.
Another thing to note is your retention period for employee data. This will likely be different than your schedule for holding onto consumer data. Make sure you have a data retention policy for both consumers and employees.
For these reasons—and many others—you will need to draft a new, separate privacy notice for your employees.
Where should we post employee privacy notices?
Under the CPRA, employees have the right to notice, which means that employers must post their privacy notice in places where employees—and job applicants—will see them. A best practice is to post the privacy notice wherever you interact with your employees. That may be a sign on the wall in a physical office location. It may be an employee intranet. It could be an employee page on your public website. It may be in your employee handbook. If your workspace utilizes CCTV, make sure you post a notice in that monitored area so employees know they’re being recorded. If you post your privacy notice in multiple locations—for example, the office and the intranet—you need to make sure that you update all notices at the same time so they are consistent.
A privacy notice should also be included in your job application and offer letter. When deciding how to keep applicants updated as they become employees, think about all the ways you interact with employees and how you collect information with them. If people apply for jobs with your company in person and online, consider posting it on the website application portal and at the physical location.
Do I need to honor employee deletion or correction requests?
Like consumers, employees now have the right to request that their data be deleted or corrected. Where possible, companies should honor these requests. However, some data is essential to process for normal business operations. Here are the exemptions that may inform a company’s decision to decline requests:
Most employee data will likely fall under the exemptions for contracts (#2) or legal requirements (#3). Employers can’t simply delete all employee data. They could do a partial deletion (think t-shirt sizes from when you sent out company swag), but can’t delete employee names and addresses.
Companies should respond to all deletion or correction requests, even when declining them.
The bottom line is privacy by design
The handling of employee data differs from consumer data. Companies may need to set up a different operations compliance process for employee data. For example, while a customer support specialist may be trained to respond to privacy requests of consumers, they probably should not handle employee data. Employee data should be kept separate from consumer data, and the HR or legal departments would be best positioned to handle their requests. The purpose is to fulfill these obligations without exposing the data to any unnecessary people. Keep only the information that your company really needs, and build privacy into every operation.