SHARE

November 02, 2021

Is it Secret, Is it Safe? What Employers Need to Know About the California Privacy Rights Act

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all Law.com OnPractice content. Your subscription is free.
Subscribe Now

In most contexts, employees should have a low expectation of privacy in the workplace. Their computers, desks, and other common areas may be subject to strict company control and their conduct subject to workplace policies. But as we will discuss in an upcoming two-part series on The Performance Review (Greenberg Traurig's California Labor and Employment Podcast), there are many aspects of employee privacy and related laws, of which California employers must be aware. One such area with rapidly approaching deadlines, is the California Privacy Rights Act ("CPRA").

In November 2020, Californians voted in favor of the CPRA, further expanding employee and consumer privacy rights for California residents. Following consumer privacy trends like Europe's Global Data Privacy Regulation, California has been on the move to enhance privacy, not just for consumers, but for employees. The CPRA amends the California Consumer Privacy Act ("CCPA"), which the California legislature passed in 2018 and went into effect January 1, 2020. Unlike the CCPA, which was amended in 2019 to have a limited application to employees, job applicants and independent contractors, the CPRA will extend various individual rights to employees, job applicants and independent contractors. Consequently, employers subject to the CPRA will need to start preparing in the near future to ensure they have the necessary procedures, policies and contract amendments in place by the CPRA's January 1, 2023 effective date.

What Is the CCPA?

In general, the CCPA was enacted to enhance the privacy rights of California residents by providing them with notice of how their personal information is being processed, the purpose for such processing, and allowing them greater control of their personal information. While the CCPA provides California residents the right to access, to deletion and to opt-out of "sales" of their personal information, it did not extend most of these rights to California employees. It did, however, expand employee rights in two significant ways: (1) it requires mandatory privacy notices and disclosures about the data collected by employers and purpose for collection; and (2) it provides for statutory damages ranging from $100 to $750 if certain personal information is breached. Further, the CCPA requires businesses to have "reasonable security procedures and practices" in place to protect their California employees' personal information.

Which Employers Are Subject to the CPRA?

The CPRA amends the CCPA's definition of a covered "business" to minimize its impact on small to medium sized businesses. The CPRA applies to for-profit organizations that collect personal information on California residents, determine the purposes and means of processing the personal information, do business in California and satisfies one of the following thresholds:

(1) as of January 1, had annual gross revenues in excess of $25 million in the preceding calendar year; or

(2) buys, sells or shares the personal information of at least 100,000 California consumers or households; or

(3) derives at least fifty percent of its annual revenue from selling or sharing consumers' personal information.

It is important to note that an employer does not need to have a physical location in California to be subject to the CPRA, but rather it must only satisfy the definition above.

What Is the CPRA and How Does It Impact the CCPA?

The CPRA materially amends the CCPA by adding a number of provisions to expand employee privacy rights. However, like the CCPA, the CPRA does not apply to personal information collected from an individual acting as a job applicant, an employee, owner, director, officer, staff member or contractor, with regard to benefits administration and maintenance of emergency contact information.

New Business Definition. Although it contains many of the same definitions as the CCPA, the CPRA changes one of the thresholds for an entity to meet the definition of a "business" subject to the law - in that it changes threshold from 50,000 to 100,000 or more consumers or households, and removes devices from the threshold.

Sensitive Personal Information Definition. The CPRA includes "sensitive personal information" as a defined term and requires businesses provide notice to employees when such information is processed, the purposes for the processing, whether the information will be sold or shared, and the length of time the business intends to retain each category of sensitive personal information. The term is broadly defined to include social security and driver's license numbers, financial account information, credit card numbers, account passwords, geolocations, genetic data, biometric information, records of products purchased, internet browsing history, and content of emails and text messages. See Cal. Civ. Code §1798.140(ae).

Individual Rights. The CPRA also provides for new and modified individual rights, which impact employees. It imposes restrictions and requirements on personal information, including disclosure requirements, opt-out requirements, opt-in consent for use and disclosure, and limitations on purposes for which information may be used. For example, the CPRA includes a right to correction, whereby consumers may request corrections to personal information if it is inaccurate. It provides a right to opt out of the use of automated decision-making technology (including profiling in connection with decisions related to work performance, economic status, health, personal preferences, location or movements). It also provides the right to restrict or limit the use and disclosure of sensitive personal information for secondary purposes, such as prohibiting businesses from disclosing certain information to third parties.

Flow-down Provisions. The CPRA also contains flow-down provisions that require employers to understand how third parties use, share and secure consumer data. Employers should identify third parties and vendors that receive their employee or applicant personal information (e.g., payroll companies, health/benefits/wellness providers, HR consultants, staffing agencies, etc.) and conduct vendor inquiries and diligence about how those third parties use, share and secure the employee personal information. The CPRA requires businesses with such vendors to enter agreements to ensure compliance with the CPRA, including the right to, upon notice, take reasonable steps to remediate unauthorized use of personal information.

Data Retention. The CPRA requires businesses to inform California residents of the length of time they will retain each category of personal information and sensitive personal information or the criteria used to determine that period.

Expanded Right of Action for Breach of Login Credentials. Moreover, the CPRA expands the types of data breaches for which a California resident can recover statutory damages to include breaches of personal online login credentials (such as passwords or security questions that permit access to an online account). The existing right to recover statutory damages, particularly when coupled with this expansion, provides covered employers a strong incentive to enhance their security measures.

Yeah, But, What if We Don't Comply?

Failure to comply with the CCPA (and later the CPRA) can carry significant fines. The CCPA currently charges the Office of the Attorney General (OAG) with issuing regulations and enforcing the CCPA. The OAG can bring civil actions to enforce the law and impose penalties up to $7,500 for intentional violations and $2,500 for unintentional violations. The CCPA also contains a private right of action, allowing for $100 to $750 in damages for each incident of breach. These penalties can add up quickly, particularly in a class action context. There is, however, a 30-day cure period in which an employer can cure a violation and provide an express written statement that the violation has been cured, to avoid penalties. Cal. Civ. Code §§1798.150(b); 1798.155(b).

Under the CPRA, the 30-day cure period no longer applies to general violations of the law, but rather only as a means of preventing individual or class-wide statutory damages as part of a private right of action for security violations. In addition, the CPRA creates a new enforcement mechanism and establishes the California Privacy Protection Agency (CPPA). The CPRA expands rulemaking and enforcement power to the CPPA, which includes the authority to require businesses to submit annual privacy and security risk assessments and to audit those assessments. The CPPA will be governed by a five-member board, which was appointed in March.

When Does the CPRA Go into Effect?

The CPRA will become operative on January 1, 2023, and enforcement actions are slated to begin on July 1, 2023. However, it is important to recognize that the CPRA includes a one year "look back provision" which requires that when a business receives a request on January 1, 2023 (the day the law goes into effect), it must be prepared to provide responsive information going back to January 1, 2022. With these deadlines looming, California employers should prepare their CPRA compliance workplans as soon as possible, and begin taking the necessary steps to come into compliance.

How Do Employers Prepare for the CPRA?

It will take most businesses at least 12 months to become substantially compliant with the CPRA. With the CCPA already in place, employers should already be on the move to update their privacy compliance practices. However, below is a checklist to help build effective privacy and security programs to prepare for the CPRA:

  • Determine if your organization is a covered business under the CPRA.
  • Create a team consisting of members from HR, Legal, Compliance and IT to lead your CPRA compliance project.
  • Map and classify personal information and identify sensitive personal information.
  • Revise (or develop) workforce disclosures to include new definitions and rights.
  • Develop workforce request workflows for rights to access, correct, opt-out of sharing and sales, and delete personal information.
  • Put in place contractual provisions with workforce vendors including diligence and contractual indemnity.
  • Develop, enforce and audit document retention policies.

Although new rulemaking may impact the exact confines of the CPRA, employers should create a plan now and start to take the necessary steps to come into compliance as 2023 will soon be upon us. And be on the lookout for Greenberg Traurig's upcoming podcast, where we will discuss employee privacy rights, including those under the CPRA, among several other aspects of workplace privacy.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Fifth Circuit Decision Could Undermine Constitutionality of HHS Civil Money Penalty Laws

By Robert P. Charrow Greenberg Traurig May 20 , 2022

On May 18, 2022, the U.S. Court of Appeals for the Fifth Circuit issued its decision in Jarkesy v. Securities and Exchange Comm’n, in which it examined the constitutionality of an agency civil money penalty enforcement proceeding.

Workplace Safety Review: Episode 25 | Interview with Dr. John Howard

By Michael T. Taylor Greenberg Traurig May 16 , 2022

In this episode, Adam Roseman talks to Dr. John Howard, the director of NIOSH and the administrator of the World Trade Center Health Program in the US Department of Health and Human Services.

Construction Company Settles False Claims Act Allegations Relating to Small Business Subcontracting for $2.8 Million

By Melissa P. Prusock Greenberg Traurig May 13 , 2022

On May 12, the U.S. Department of Justice announced a $2,804,110 settlement with Hensel Phelps Construction Company to resolve allegations that it violated the False Claims Act (FCA) by circumventing federal regulations designed to encourage contract awards to service-disabled veteran owned small businesses (SDVOSBs). According to the settlement, Hensel Phelps, a general contractor that performs public and private construction projects, improperly claimed credit toward its small business subcontracting goals for subcontracts it awarded to an SDVOSB that it should have known was acting as a mere “pass-through” for a large business that was actually performing the work.

More From Privacy

U.S. Supreme Court Rejects Prejudice Requirement for Waiver of Arbitration

By Mark J. Levin Ballard Spahr May 23 , 2022

The U.S. Supreme Court today held that waiver of the right to arbitrate does not require a showing that the other party was prejudiced. The unanimous opinion by Justice Kagan in Morgan v. Sundance reversed the Eighth Circuit, which had held that a party waives the right to arbitrate if it knew of the right, acted inconsistently with that right and prejudiced the other party by its inconsistent actions.

Delaware to Mandate Paid Family Leave Starting in 2026: 5 Steps to Help Employers Prepare for the Transition

By Michael E. Truncellito Buchanan Ingersoll & Rooney May 17 , 2022

Delaware has become the 11th state to guarantee paid parental, medical, and military leave for private-sector workers.

Yes, CBD Registers On A Drug Screen As THC And, Yes, You Can Be Terminated For It

By Sara H. Jodka Dickinson Wright PLLC May 16 , 2022

There is a lot to unpack in the Lehenky v. Toshiba America Energy Systems Corporation, Case No. 20-4573 (E.D. PA, February 22, 2022) case as it answers two very interesting questions. First, does CBD register on a drug screen as THC, and can employees be terminated for using it? Second, is an employer test for prescription drugs an illegal medical inquiry in violation of disability laws?

Featured Stories
Closeclose
Search
Menu

Working...