In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first U.S. state to enact a comprehensive data privacy law covering employment-related data (“B2E”), whereas the California Consumer Privacy Act (CCPA) currently only applies to employment data in a limited fashion. While we continue to await final regulations from the California Privacy Protection Agency, which we have learned may be delayed until the third or fourth quarter of 2022, we continue to assess and provide guidance on key areas of focus for businesses to consider when developing a business strategy for CPRA compliance for B2E.

As we reported here, California legislators have recently proposed amendments extending exemptions affecting B2E and business-to-business data, which we will continue to monitor closely. Still, companies are well advised to press forward with compliance efforts under the assumption that the exemptions will expire, in order to ensure that they are able to fully comply with the CPRA when it is enacted.

Given the unique relationship between an employee and an employer, as well as the myriad of existing California employment laws already covering employee rights, the application of CPRA to employees will create a complicated intersection of data protection and employment laws requiring employers to carefully plan CPRA B2E strategy and implementation. In this article, we address responses to five frequently asked questions from businesses preparing for CPRA B2E compliance.

  1. Does remote working impact how I determine which employees are in scope with CPRA B2E requirements?

Yes. As an initial compliance step, employers that offer remote working options should determine which employees on their workforce will be subject to CPRA. As currently drafted, CPRA only applies to employees who are “California residents.” Cal. Civ. Code §1798.140(i).

This assessment is not as straightforward as it may have been pre-pandemic. Today, this line is blurred by the possibility of remote work and migration of California-based employees to states with fewer tax obligations and lower costs of living. Employers should be cognizant both of remote working in our more fluid world today and of the impact it may have on employees’ residency, in order to plan their company’s CPRA implementation strategy accordingly.

While businesses may consider applying a unified, national approach for B2E rights by honoring CPRA-like rights for all employees, regardless of residency, this approach may come with risks that should be carefully assessed and considered. For example, other states may have existing employment laws for employees that could conflict with CPRA rights. In addition, those non-California states may pass privacy laws that apply to their resident employees in the future. Further, there is the risk of misuse of CPRA rights by employees, former employees and plaintiffs’ attorneys to circumvent traditional discovery procedures for litigation purposes.

  1. Can employers just extend their business’s CPRA program for California consumers to employees in order to be compliant with CPRA?

Not quite. Existing CCPA rights for California consumers may not apply in the same ways in the employment context, and different exceptions will certainly apply when employers are responding to requests made by employees. To avoid misapplying or misinterpreting CPRA rights in the B2E context, privacy lawyers should closely review CPRA requirements with their HR or employment legal team through an employment lens rather than adopting a one-size-fits-all approach.

A good example is CPRA’s right to limit use and disclosure of sensitive personal information. Based on the plain reading of the statute, this right only applies to personal information that is collected with the “purpose of inferring characteristics.” §1798.121(a). Businesses generally do not collect sensitive personal information with the purpose of inferring characteristics of their employees; rather, in the employment context, sensitive personal information would typically be processed in order to fulfill HR responsibilities, such as processing payrolls and benefits. CPRA permits treating information not collected with the purposes of inferring characteristics as “personal information” for all sections of CPRA, including the requirement related to notice. Cal. Civ. Code §1798.121(d). Unless the regulations state otherwise, this reduces the burden on the employer, as it may not be necessary to give notice related to sensitive information or include the right to limit the use and disclosure of sensitive personal information in the CPRA requests process. To include the right without close statutory review and analysis can create misunderstandings among employees about how their information is being used, which as an employer you should avoid.

As we stated in our previous blog post, employers should conduct data mapping and determine what personal information they collect about their employees, why this information is collected, and how such personal information is used and disclosed to third parties before tackling their disclosure obligations or consumer rights implementation, in order to create a tailored-CPRA compliance program.

  1. CCPA already required employers to give a Notice at Collection to employees. Is the existing CCPA notice to California employees sufficient to comply with CPRA?

No. CPRA requires additional disclosures within the employee notice of newly introduced concepts such as “sensitive personal information,” “retention periods,” and whether personal information or sensitive personal information is sold or “shared.” While many of the disclosures will be business-specific, the existing CCPA notice will, at a minimum, need to be updated to include the retention disclosure requirement. Businesses should also consider the mechanism of delivery of these updated notices to their California employees and new hires, as well as their strategy around drafting and implementing separate CPRA requirements for the California employee population only, as opposed to a single, national privacy policy approach.

  1. What specific new or amended rights will California employees have under CPRA?

One of the most significant undertakings under CPRA will be assessing and timely responding to employees’ rights requests by fulfilling the request or determining whether an applicable exception applies. Employers should develop a detailed process by which employee rights requests will be verified, accepted, or denied in part or in full, and responded to.

At a minimum, the following rights will apply to California employees of all CPRA-covered businesses:

  • Right to Know
  • Right to Delete
  • Right to Correct Inaccurate Information
  • Right to No Retaliation for Exercising CPRA Rights

As mentioned above, there are several statutory exceptions that employers may rely on to ensure that the above rights do not impact the business’s legitimate need to continue to process and retain certain personal information of employees. For example, an employee’s request to delete personal information is not absolute, as an employer may retain personal information such as name, address and banking information as necessary to fulfill an existing employment contract.

On the other hand, the following rights are likely more business dependent and may not apply to employees of all businesses:

  • Right to Limit Use and Disclosure of Sensitive Personal Information
  • Right to Opt-Out of Sale
  • Right to Opt-Out of Sharing
  • Right to Access and Right to Opt-Out of Automated Decision-Making

Businesses should carefully evaluate each new or modified right under the CPRA and determine which exceptions may apply in what contexts.

  1. Do employers need to update vendor contracts related to employees’ personal information?

Yes. Since CPRA will now also apply to all employees, employers will need to account for disclosures of employee information to vendors, including service providers, contractors and third parties, in the same manner as they would for traditional consumer personal information under the CCPA and other privacy laws.

CPRA requires agreements with third parties, service providers and contractors to whom employees’ personal information may be disclosed to contain very specific language. The provisions should be added to both new and existing contracts, and the resulting impact on business obligations will depend on what information about the employee is shared, why the information is shared and the role of the recipient entity.

The definition of “service provider” under the CPRA has been expanded to incorporate new concepts related to “sale,” “sharing” and includes specific requirements for written contracts. For example, one such requirement is permitting the employer to monitor the vendor’s compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing, at least once every 12 months. See Cal. Civ. Code §1798.140(ag). 

We will continue to monitor updates regarding CPRA and its impact on B2E. Please stay tuned for future blog posts.