Remember to Look Back as You Move Through 2022
On January 1, 2023, the California Privacy Rights Act (CPRA) will go into effect. This statute imposes new obligations on California employers with respect to the information they collect and maintain regarding employees and applicants. Although time remains for employers to prepare for compliance with the CPRA, some employers may be unaware that the statute also includes a “look-back” provision requiring employers to account for all information collected since January 1, 2022. For this reason, employers are well advised to assess their compliance and revise policies and procedures regarding data collection and storage sooner rather than later.
Why Does the CPRA Apply to Employers?
Although generally described as a consumer rights act, the CPRA broadly defines a “consumer” as any “natural person who is a California resident.” This broad definition encompasses employees, applicants, individual contractors, etc. (For ease of reading, this article generally references “employees,” but employers need to be cognizant that these provisions have broader application.)
Will The CPRA Apply to All Employers?
Generally, the CPRA will affect for-profit businesses that have annual gross revenue of $25 million or greater, or that are in the business of buying and selling personal information. The statute contains more precise definitions and thresholds, but the $25 million revenue threshold will be the key provision for determining whether the vast majority of employers of California residents are subject to the CPRA.
What Will California Employers Be Required To Do?
The CPRA governs use of “personal information” defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Notably, this definition is not restricted to data collected or stored electronically and likewise applies to employee forms in filing cabinets. The CPRA also adds a heightened layer of protection for “sensitive personal information” such as social security numbers, biometric and health data, financial information, etc. and employers are prohibited from discriminating against employees exercising CPRA rights.
Employers obviously collect a large amount of personal information and sensitive personal information from their applicants and employees—a large part of it pursuant to legal obligations. So what are the restrictions on use of this data for California employers? Although the particulars will depend on the business and the specific information collected, obligations can generally be broken down into four responsibilities:
Notify – California employers must notify their California employees and applicants of the categories of data they collect and the purposes for which they collect them. Employers cannot collect any information belonging to a category not identified in the notice.
Respond – The CPRA gives employees rights to control the collection and use of their data. Thus, employees can request to access, correct, delete, and restrict use of their data as well as opt-out of certain data collections. An exception exists for information other laws require employers to maintain for designated periods (i.e. personnel records, working hours logs, payroll records, etc.). When responding to employee requests, employers will need to understand what data they are legally obligated to keep (and for how long), and what data is subject to the employee request.
Coordinate – The CPRA governs the sale or transfer of information. Even providing an outside payroll processing company employees’ financial information could implicate provisions of the CPRA. Employers will need to assess every aspect of data sharing and make sure that contracts with vendors and service providers comply with the statute.
Manage – The CPRA requires that employers keep data only as long as reasonable to accomplish the purpose for which it was collected. Employers will need to create, update and/or implement data retention plans to ensure that expired data is destroyed. Again, these data retention plans will need to incorporate California Employment law, which mandates retention periods for certain types of employment documents.
How Should California Employers Prepare For Implementation of the CPRA?
Requisite preparations will depend on an employer’s business, personnel, and data collection practices currently in place. However, given the significant number of new regulations and requirements, employers should look to be proactive in their preparations. Some general categories of preparation efforts may include the following:
Identify sources and categories of information stored – Understand what information exists, what type It is (personal information or sensitive personal information), where it is coming from, and where it is stored. Often referred to as “data mapping,” this process should ensure the identification of all collection points and receptacles of employee data. Special attention should be paid to potentially overlooked collection points resulting from active and regular employee monitoring, which is increasingly widespread in the remote working world.
Evaluate ongoing collection efforts – Evaluate what information is collected from employees and analyze whether that information provides value to the business. Consider reducing collection of employee data where possible. Minimizing the amount of information collected simplifies compliance with the CPRA.
Prepare notices – Using information the data mapping process generates, categorize the types of information collected and the purposes for which they are collected and prepare the mandatory notices to be given to employees. Update and implement procedures to ensure that these notices are distributed to all employees and applicants and such distribution is recorded. Regularly review this notice to ensure that the categories identified sufficiently encompass the data they are collecting.
Train employees – Think through the process of responding to employee data requests and identify the stakeholders to this response effort, including individuals in HR and technology services. Coordinate and develop new procedures and employee training with the individuals and departments most affected.
Identify all data sharing and review applicable contacts – Identify employee data transferred to outside companies and classify those entities according to the provisions of the CPRA. Review the contracts with outside vendors and service providers to ensure compliance with the provisions of the CPRA as well as to understand what indemnification provisions exist.
Update data retention plans – Examine the existence and implementation of data retention policies and expand as needed to encompass employee information. Analyze retention periods to ensure they are reasonable and justifiable. Implement automated processes whereby retention terms can be determined by a triggering event (like termination) rather than creation date. However, ensure that any automated process can be overridden in the event of litigation.
How Long Do California Employers Have to Come Into Compliance?
Ideally, employers should be well in to the process of preparing to comply with the provisions. Especially depending on the size of the workforce, implementing the new processes the CPRA requires may be a large undertaking. Thus, although the CPRA becomes effective on January 1, 2023, employers are well-advised to engage in preparations as early as possible.
Additionally, employers should be cognizant that as of January 1, 2023, employees will have the right to make requests regarding data collected dating back to January 1, 2022, obligating employers to already be tracking the collection, use, and disclosure of employee data. This “look back” provision makes certain aspects of the statute, de facto, already in effect. Employers still not yet in compliance with the provision of the CPRA may need to retroactively “back fill” informational compliance to prepare fully for the statute’s official effective date.
For these reasons, the sooner employers undertake preparations for compliance with the CPRA, the better. Early assessment, evaluation, and implementation of data privacy policies and procedures will assist employers as this groundbreaking law comes on line.