What Employers Need to Know About Employee Rights Under CPRA

,

When the California Consumer Privacy Act (CCPA) was passed in 2018, residents of the Golden State were given the most progressive, robust data privacy rights in the entire United States. Modeled after the European Union’s General Data Protection Regulation (GDPR), the CCPA created a slew of new regulations designed to protect consumers from the unethical and unauthorized online collection, processing, and sale of their personal information. 

For businesses used to building marketing and product development programs on the information gleaned from their virtually unregulated data collection operations, the CCPA was a game changer.

But the CCPA hasn’t been perfect. Loopholes and gaps in coverage created confusion for consumers and companies alike, and made the new law less effective than privacy advocates had hoped. Within nine months of the CCPA’s effective date, California residents passed an amendment to the CCPA.

Known as the California Privacy Rights Act (CPRA), this amendment clarified vague parts of the CCPA and added new consumer rights. Significantly, it also created and funded the California Privacy Protection Agency (CPPA) to enforce all CCPA and CPRA requirements.

CCPA, CPRA, and employee rights

According to privacy and workers’ rights advocates, one of the major failings of the CCPA was that it exempted employees from the majority of data privacy protections given to consumers. 

Under CCPA regulations, employers were required to notify employees about the business purpose and categories of personal information collected before any collection took place, and provide reasonable security measures to protect against unauthorized access. These same rules also applied to consumers in California.

But where consumers had multiple ways to limit how their personal information was used and how far it traveled, the employer exemptions baked into the CCPA meant employees did not. State and federal employment laws provided some additional protections, but there’s no question that the law was not keeping up with the digital economy when it came to protecting employees.

For example, an individual could opt out of the sale of their data when they bought something online, but then have no control over what their employer did with that same sensitive personal information. Employees also had no formal rights to correct or delete their data from internal databases or to limit the disclosure of their sensitive information to third parties. 

One of the primary drivers of the movement to amend the CCPA was to extend the level of data privacy protection consumers enjoyed as individuals into the workplace. Just as civil rights don’t stop at the front door of an office building, CPRA’s passage means data privacy rights won’t either.

What’s new for employee rights in CPRA

When CPRA becomes effective on January 1, 2023, job applicants, employees, independent contractors, owners, emergency contacts, and beneficiaries (called workforce members in the bill) in California will have the same rights as consumers, namely:

  • Right to access: Workforce members have the right to know what personal information has been collected. They also have the right to know how and why it was collected, how long it will be stored, and which third parties it has been sold to or shared within the previous 12 months.
  • Right to delete: A request by workforce members to have personal information deleted must be honored. This right can be limited by legitimate business functions.
  • Right to correct: Workforce members have the right to correct, amend, or rectify inaccurate or incomplete information in their employee record.
  • Right to opt-out of the sale/sharing of personal information: Workforce members have the right to opt-out of having their data transferred to a third party.  (Note: including sharing of data in the sales opt-out clause closes a major CCPA loophole and was another significant motivator for CPRA)
  • Right to limit the disclosure of sensitive personal information: CPRA creates added protections for certain categories of sensitive data such as gender, race, sexual orientation, medical history, biometric data, religious or political affiliations, union membership, and precise geolocation.
  • Rights related to automated decision-making and profiling: Workforce members can opt-out of having their personal information based on work performance, economic status, health, interests, etc. used to create a profile for automated decision-making processes
  • Right to non-discrimination: Employers may not retaliate or discriminate against workforce members who exercise their CPRA rights.

CPRA also mandates that businesses:

  • Minimize their data collection to what is adequate, relevant, and necessary
  • Not retain data for longer than is reasonable or useful
  • Conduct annual audits and privacy risk assessments to evaluate the effectiveness of internal policies
  • Implement a “Do Not Sell or Share My Personal Information” link on the business website(s) if they use analytics or targeting advertising trackers. This can apply to intranets or web-based applications that an employee would be required to use. 

A very important note

Privacy rights for employees intersect strongly with human resource laws. As you can imagine, sorting through both can get confusing. To keep straight on what’s what, employers should work closely with both privacy professionals and HR attorneys to build processes and policies that comply with all relevant legal obligations while also supporting the needs of employees. 

What this means for employers

CPRA compliance is not just an issue for your IT department. And human resources can’t manage it single-handedly either.

Effectively responding to requests from either employees or customers necessitates a granular understanding of your data and powerful categorization, sorting, and evaluation processes. To be fully ready for CPRA’s January 1, 2023, effective date, your company should be building a data inventory, updating your privacy notices, putting data processing agreements (DPAs) in place with all vendors, and training your team on CPRA compliance obligations.

Make sure you consider how these privacy actions impact your employees, too. For example, what processes do your employees need to take to submit a request? What will happen after that? Setting clear and predictable processes now will build trust with your employees and make complying with CPRA easier. 

Build a data inventory

A data inventory is the single most valuable asset a company has when building a data privacy program. Data inventories provide a full picture of your data management program and will highlight:

  • What types of information you’re collecting
    • This could include:
      • CCTV/video surveillance
      • Geolocation information (such as tracking employees in fleet vehicles)
      • Time-keeping and expense tracking
      • Online monitoring tools
      • Performance-based tracking
  • Where, how, and why you’re collecting it 
  • Who has access to it
  • How long and where it’s stored
  • Where it’s vulnerable to exposure

Frankly, it’s not possible to consistently respond to individual rights requests if you don’t know this information. We always recommend clients complete a data inventory regardless of their compliance obligations. Without one, you’re building a house of cards on sandy shores.

Update your privacy notices

If you’re already CCPA compliant, it probably won’t be too difficult to adapt your consumer notifications for employees. But if you’re among the 89% of companies who have yet to establish full CCPA compliance, you don’t have any time to waste.

CPRA stipulates that employees be notified of what is being collected and why before a single byte of data is captured. The notification should:

  • Use simple, easy-to-understand language
  • Include a link to your full privacy disclosure
  • Give options to opt-out where applicable

Get DPAs in place

DPAs are another reason CPRA exists in the first place. Designed to increase accountability in the event of a breach, CPRA mandates data controllers (that’s you) and processors (your third-party vendors and service providers) have a contractual agreement in place that:

  • Specifies the limited purposes for which shared data can be used
  • Obligates vendors to provide CPRA-level protection regardless of where they are located
  • Lays out specific processes and expectations to ensure the safe transfer of data between all parties
  • Requires processors notify controllers of a breach or other security issues in a timely way
  • Allows the controller to take control of data that is being used in unauthorized ways

If your third-party vendors aren’t CPRA compliant, you need to either renegotiate or terminate your contract with them and find someone who is. 

Under CPRA, you are on the hook for breaches that occur at your company and at a processor you’ve shared data with. It makes sense, then, that you’d want to make sure your vendors have the same high standards you do.

Train your teams

Any employee that is responsible for handling sensitive personal information or responding to individual rights requests must be trained on what their legal responsibilities are. Providing training that ensures your employees understand privacy best practices might seem daunting and expensive, but trust us. Managing a breach caused by employee error is much harder and costs a lot more money.

Get help from the best

If CPRA’s effective date has turned into your own personal boogeyman, let us help you use the next few months efficiently so you can start the new year compliant and competent. Contact us today to get started.