How the California Privacy Law Affects Employee Data

Although employee data was initially exempt from the CCPA, that exemption expires in 2022. To remain compliant with California privacy law, employers must take steps to implement the CPRA’s worker data protection provisions. These include the right to know, the right to access, the right to limit, the right to erasure, and the right not to be discriminated against for exercising these rights.

The Right to Know

A key component of California’s CPRA is that it provides individuals with the right to request businesses disclose information about what personal data they have collected on an individual. Businesses must also tell whether they have sold that data and to whom.

In addition, a consumer can ask businesses to limit the use of their data. However, a company must obtain consent from the individual to do so. Additionally, a business cannot deny the request based on “good faith” that it has a legitimate need for the information.

HR departments will have a lot of work ahead of them when complying with this new law. This is because the California privacy law employee dataapplies to any company that collects and maintains personal information about employees, job applicants, or their household members who are residents of California.

This includes employee performance, compensation, benefits, and disciplinary action data. It also extends to sensitive personal information like social security numbers, medical records, genetic data, religion-related data, sexual orientation, and more. This is in contrast to the CCPA, which only covered consumer data.

The Right to Access

With the enactment of the California Privacy Rights Act (“CPRA”), employees and other individuals in the workforce are now covered by CCPA provisions. The CPRA expands the scope of personal information that must be included in businesses’ consumer privacy notices to include employee data (“Employee Personal Information”).

Under the CPRA, workers have six fundamental rights: the right to know what personal information is collected; the right to access their personal information; the right to limit how and with whom their personal information is shared; the right to request correction of their personal information; and the right to have their data deleted. Businesses must respond to worker requests for access, deletion, and limit sharing in the same manner as they would any other CPPA request.

The CPRA applies to businesses that collect California residents’ personal information and derive 50 percent or more of their revenue from selling that data. This includes all private companies, nonprofits, and government agencies. It also applies to job applicants, current and former employees off, icers and directors of those entities, medical staff members, independent contractors, and vendors.

The Right to Limit

As a practical matter, it is unlikely that employees will want to limit their personal information, including government IDs (like social security numbers), financial account information, precise geolocation, union membership, or private communications. It is also difficult for most companies to separate and track data collected about employees according to their privacy choices.

The CPRA requires companies to disclose the categories of personal information they collect, how that information is used and with whom it is shared, and what rights consumers have to restrict the use of their data. To meet this requirement, many HR departments must create a new employee privacy policy separate from their existing consumer privacy policies.

This change could require significant resources, especially for smaller companies that rely on several third-party service providers to collect and process their worker data. In addition, those third parties may need to be more familiar with the CCPA requirements and update their privacy practices. In the meantime, most HR experts recommend companies prepare for this shift by conducting a gap analysis and developing an internal compliance plan.

The Right to Erasure

Like the GDPR’s right to be forgotten, California’s new privacy law, the CCPA (often called “CCPA+” by legal observers), gives employees who have requested access or deletion of their personal information certain additional rights. These include the right to know what personal data a business collects about them, the right to ask for that data to be corrected or deleted, and the right to opt out of having their personal information sold.

A business that does not comply with these obligations risks fines of up to $25 million per year, although some exemptions exist. One of those is that a business may refuse a request to delete data if it is necessary to protect an employee’s safety or health, enforce a legal agreement, or for other reasons as specified in the statute.

Businesses must also update their employment privacy notices and ensure their third-party vendors know the responsibilities under the CCPA. The CPRA also requires that an employer notify job seekers when they collect personal information for hiring purposes.

The Right to Portability

A ‘right to portability’ enables individuals to transfer their data quickly between different IT systems. This gives them the power to use services to help them find a better deal or understand their spending habits, for example. This right is a fundamental aspect of GDPR, and now California’s new law – CPRA – has added it to the rights individuals already have under CCPA.

The new law applies to the personal information of employees, job applicants, contractors, and others in work roles who are residents of California (“Worker Personal Information”). It also includes third parties that control the collection of worker data. The newly established California Privacy Protection Agency will enforce the law’s provisions.

Companies must comply with a worker’s right to access their data and the other rights outlined in CPRA. This will require them to review their processes, revise their agreements with third parties, and update their notices of collection and privacy policies. In addition, they will need to consider whether any of their worker data is ‘inferred or derived’ from their other personal data and whether it is subject to the right to portability.