Businesses around the world have shifted to digital technology for transacting business, communications and record keeping. But securing a company’s digital records and missives is not as easy as locking a file cabinet. To protect California employee privacy rights, the state now has two pieces of detailed legislation: the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act of 2020 (CPRA). Although much in these acts does not apply to California employers until 2023, taking steps now is necessary to be at full compliance when the effective date hits.
How California Employee Privacy Rights Are Changing under the CCPA and the CPRA
The CCPA and the CPRA offer protection close to that provided by the European Union’s General Data Protection Regulation (GDPR). These new privacy laws give Californians greater control over their right to know when companies collect and use their personal information and to dictate how it can be used.
When the California State Assembly passed the CCPA, it included an exemption that delayed its effective date for employers for most purposes. The CPRA extended that exemption to January 1, 2023. However, the new privacy laws are so complex and are likely to require significant effort to meet the requirements, so the time to start work on compliance with California employee privacy rights is now.
Protecting Employee PII in California under the CCPA
Passed in 2018, the CCPA took effect in early 2020, giving the state’s consumers four basic types of rights with regard to company use of their personal information:
- The right to know that a business is collecting their personal information, what information it collects and how the business uses that information
- The right to delete such collected personal information (with some exceptions)
- The right to refuse permission for the business to sell the individual’s personal information
- The right to exercise these rights without a discriminatory response by the employer
The CCPA applies to any company that does business in California and meets any of the following criteria:
- It has gross revenue greater than $25 million
- It buys, receives or sells the personal information of 50,000 or more California residents, households or devices
- It has at least 50 percent of its annual revenue from selling the personal information of California residents
When originally passed, the CCPA included an exemption making most of it inapplicable to employers until January 1, 2021. Despite that exemption, however, two aspects of California employee privacy rights became effective in 2020. First, employers must provide a notice to all employees, employment candidates and independent contractors (collectively “employees”) at the time the employer collects personal information. Second, if a business fails to take adequate safeguards to protect personal information, the affected employee, employment candidate or independent contractor may bring a private right of action against a company.
Enforcement of the CCPA and promulgation of regulations currently lies with the California Attorney General (although this is modified prospectively in the CPRA), but aggrieved individuals can also assert a private right of action against the business that violated their CCPA rights.
How the CPRA Impacts California Employers
Before the sunset date for the employer CCPA exemption, Governor Gavin Newsom signed into law Proposition 24: the CPRA. The CPRA amends the CPPA by adding greater and more rigorous data privacy protections for the state’s residents — including employees. It redefines the businesses subject to its requirements to include the businesses that meet any of the following:
- Annual gross revenue greater than $25 million in the preceding calendar year
- Buys, sells or shares personal information of at least 100,000 California households or residents
- Receives at least half of its annual revenue from selling or sharing such personal information
With the same employer exceptions as applied under the CPPA, the CPRA also extends the employer exemption to January 1, 2023. Employers should begin working on understanding California employee privacy rights under the law and becoming compliant right away. Making the necessary changes to policies and procedures could take significant time. Moreover, the 2023 effective date for employers is a bit of a misnomer because there is also a 12-month lookback period in the CPRA for employers, which lets employees file complaints for some violations that occurred as early as January 1, 2022.
The CPRA demands more exacting protections from California businesses and employers in several ways. Of significance to employers, the CPRA adds new protections for a subcategory of personal information called “sensitive personal information.” Sensitive personal information includes any of the following pertaining to an employee, candidate, or independent contractor:
- Social Security number
- Passport number
- Driver’s license number
- Account login information
- Racial or ethnic origin
- Precise geolocation
- Religious or philosophical beliefs
- Union membership
- Contents of email or text messages (with some exceptions)
Employers regularly collect and maintain at least some of the information above, such as for I-9 forms.
The CPRA also revised the CPPA regarding the privacy notices owed to employees, employment candidates, and independent contractors. These provisions are found in California Civil Code §§ 1798.100(a) and 1798.145(m)(3). Beginning January 1, 2023 (but with a lookback period to January 1, 2022), employer notices to employees, candidates, and other workers must include the following at the time of collection:
- The categories of personal information (as defined by the act) to be collected
- The purposes for which the collected personal information will be used and whether it will be shared or sold
- The categories of sensitive personal information to be collected
- The purposes for which the collected sensitive personal information will be used and whether it will be shared or sold
- The term for which the employer plans to retain personal information or sensitive personal information or, alternatively, an explanation of how the employer will determine how long to retain such information
The act prohibits employers from using collected information outside of the scope or beyond the length of time provided in the notice.
In addition to adding requirements regarding the new subcategory of sensitive personal information, the CPRA amended the CCPA to include new limitations on how employers may use employee personal information, and it imposes requirements on employer business relationships, such as vendors providing human resources services.
A New State Agency Will Enforce the CPPA and the CPRA
The CPRA created a new state office for its enforcement, the California Privacy Protection Agency. The agency which will become active on January 1, 2023, and the state attorney general’s office will continue overseeing enforcement until then.
Once up and running, the agency will take over enforcement of the privacy legislation. The new agency’s staff will include a team of auditors to investigate CPRA complaints, and it will have authority to promulgate regulations regarding the interpretation and enforcement of the CPRA.
The Consequences for Employers of CPRA Violations
For the two provisions of the CPPA currently applicable to employers, employees may recover up to $750 for data breaches. Once the California Privacy Protection Agency becomes active, employers could also face civil or administrative fines of up to $2,500 per violation, and fines for violations that are determined to be intentional or involve minors could reach as high as $7,500.
As noted above, employees will have the right to bring a private cause of action for certain CPRA violations, but many question what those cases will look like. There are already pending several CPPA cases; some assert violations of the CPPA, while others allege a CPPA violation as the basis for a claim under California’s Unfair Competition Law, California Business and Professions Code § 17200 et seq. Whether one or both strategies will be found to be viable remains to be seen.
The Next Step for California Employee Privacy Rights Compliance: Engage a California Employer Attorney Focused on Protecting Employers
California employers have no time to waste before starting the rigorous process of reviewing and updating current policies and procedures under the CPRA. A human resources department is not the only part of a business that collects and maintains personal information regarding employees and other workers. If your business contracts out human resources, payroll, or other operations that collect or utilize personal information, you will also need to vet your vendors for CPRA compliance.
The Law Offices of Susan A. Rodriguez, APC represent employers throughout the state to provide guidance and litigation services in a wide range of areas — including California employee privacy rights compliance and litigation. If you have a question about how the California Privacy Rights Act impacts your business or a claim made or would like counsel regarding the CPRA for employers generally, schedule a consultation with Susan A. Rodriguez by calling (213) 943-2313 or complete this online contact form.
Posted by Susan A. Rodriguez, Esq.
The information, comments and links posted on this blog do not constitute legal advice, and no attorney-client relationship has been or will be formed by any communication(s) with the blogger. Do not send any confidential or privileged information to the blogger. No information, documents or materials you send to the blog will be considered confidential or privileged by the Law Offices of Susan A. Rodriguez, APC or its lawyers and no information, documents or materials will be returned to you. If you do send any information, documents or materials to the blog, you give permission for the blogger to include them on or in the blog.
For legal advice, contact an attorney at Law Offices of Susan A. Rodriguez, APC or an attorney actively practicing in your jurisdiction.
