California Privacy Laws To Create Major Shift For Employers Nationwide in 2023
The California Consumer Privacy Act of 2018 (“CCPA”) provides consumers with protections relating to their personal information collected, sold, or used by covered businesses. Despite the term “consumer” in the name of the law, the CCPA’s broad definition encompasses employees, applicants, independent contractors, and other types of workers. For now, employers are currently exempted from many of the CCPA requirements under the “Workforce Data Exception.” This exception ends January 1, 2023, when the California Privacy Rights Act of 2020 (“CPRA”) takes effect.
Employers must be aware of both the CCPA and CPRA obligations that apply to personal information collected about employees. Personal information is information that identifies, relates to, or could reasonably be linked with a person or their household. For example, it could include a person’s name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about that person’s preferences and characteristics. The CPRA also provides for additional consumer rights, and employers will need to comply with the regulations for all collected personal information.
Who are Covered Businesses and Protected Consumers under the CCPA
As previously reported, the CCPA’s sweeping applicability goes beyond businesses strictly located in California, but is instead generally based on revenue and whether it handles covered personal information, defined broadly. Entities transacting business in California, no matter how remotely or infrequently, are encouraged to check with legal counsel about their obligations under the CCPA and CPRA.
Employers should also carefully consider what personal information it collects from Workforce Members (defined and discussed under “Workforces Data Exception” below) and whether it is used for purposes that are not covered by the Workforce Data Exception. For example, personal information sold to companies for advertising purposes would fall outside the scope of the Workplace Data Exception. Any use that is not covered by the exception must comply with the broader CCPA requirements, including: notice and information rights, deletion rights, personal information sale prevention rights, and freedom from discrimination. Again, the advice of legal counsel should be followed in making these determinations.
Covered Individuals
The CCPA provides protections for California residents that include individuals who are either: (1) in California for other than a temporary or transitory purpose, or (2) domiciled in California but are currently outside the state for a temporary or transitory purpose. Given the broad coverage of individuals situated within or outside California, careful analysis is required to determine an employer’s obligations under these laws.
Workforce Data Exception
Until January 1, 2023, employers have a partial CCPA-compliance exemption called the “Workforce Data Exception.” The Workforce Data Exception is a temporary exemption for employers regarding personal information collected about “Workforce Members.” Workforce Members include covered individuals who are applicants, employees, owners, directors, officers, medical staff members, and independent contractors. Employers should be aware that this exception only applies if the personal information is collected and used:
- Solely within the context of that person’s role;
- For that person’s emergency contact information, or
- To administer that person’s benefits.
Within the scope of the Workforce Data Exception, covered businesses are relieved from all but two CCPA requirements. Employers have been required to and must still: (1) provide collection notices, and (2) adequately protect personal information they have collected. Notably, despite the exemption, Workforce Members still maintain a private right of action for data breaches.
Current Requirement for Employers: Collection Notices
Notwithstanding the exemption, covered businesses must provide Workforce Members with notice at or before the collection point containing: (1) the categories of personal information the business collects, and (2) the intended use purposes for those collected categories. A new notice is required before collecting personal information in new categories or for new purposes.
Employers may provide collection notices at or before the collection point in a variety of ways, and it is important for employers to develop a standardized process. A best practice would be to provide the notice – whether as a link or a physical copy – whenever collecting any personal information for the first time.
Current Requirement for Employers: Data Breaches and Reasonably Safeguarding Personal Information
Under California law, Workforce Members can bring a private right of action for certain data breaches when a business fails to implement reasonable security practices and procedures. In this context, “personal information” is defined more narrowly than the broader CCPA definition. Regarding data breaches, personal information is limited to a Workforce Member’s first and last name along with a specific subset of information. This subset includes a social security number, driver’s license number, account number or credit/debt card number when combined with security information required to access the account, medical information, and health insurance information.
Employers can avoid potential liability by implementing reasonable security practices and procedures to protect personal information. While the CCPA does not define “reasonable security,” nor require specific security measures, employers can look to other California statutes that require reasonable security for personal information for guidance. For example, risk assessment standards already exist in the HIPAA compliance context. Employers should first review what types of sensitive information it collects from Workforce Members, and from there, employers must assess the risks to the security of that information and determine which areas need to be strengthened.
Changes After Passage of CPRA
As previously reported, in November 2020, California voters approved the California Privacy Rights Act of 2020. Most substantive CPRA changes do not take effect until January 1, 2023. However, except for access requests, the CPRA’s new obligations will have a 12-month “lookback” provision which applies to any personal information the business collects on or after January 1, 2022.
Notably, the CPRA extends the Workforce Data Exception to January 1, 2023. However, upon the expiration, the CPRA requirements will apply to all personal information collected by covered businesses. Accordingly, employers will need to update privacy disclosures and comply with requirements regarding consumer rights, as discussed below.
The CPRA has an impact on consumers’ rights to control the collection, use, and disclosure of their personal information and allows access requests beyond the 12 months preceding the request. The CPRA also creates the following new consumer rights:
- Right to request a business correct any inaccurate personal information,
- Right to opt out of sharing personal information, and
- Right to request a business to restrict its use and disclosure of sensitive personal information.
Additionally, employers should be aware of required changes to its notice at collection and privacy policy. Privacy disclosures will need to include additional detail, including but not limited to the new right to have businesses correct inaccurate personal information, information regarding how sensitive personal information is processed, applicable retention periods and retention criteria, and whether personal information is sold or shared.
Pending CPRA Amendments
Without a doubt, many businesses rely on the Workforce Data Exception to avoid additional obligations under the California privacy law. In mid-February 2022, two bills introduced by California Assembly Member Evan Low purport to extend the Workforce Data Exception. LB 2871 purports to strike the sunset provision altogether, extending the Workforce Data Exception indefinitely; LB 2891 purports to extend the exception by three years, until January 1, 2026. Both bills may be heard in committee on March 21, 2022.
Next Steps
Employers should keep a close eye on these regulations as they begin preparing for changes in 2023. Even with the Workforce Data Exception in effect, employers must ensure their collection notices and data security protocols comply with the CCPA. Additionally, employers should begin planning for the expiration of the Workforce Data Exception and the implementation of the CPRA, which creates additional rights for Workforce Members and therefore additional obligations for employers.
If you have any questions about these laws, or need updated policies or protocols, please contact a specialist in Koley Jessen’s Employment Law and Data Privacy and Security Practice Areas.
Special thanks to Austin Hoffman, Koley Jessen summer associate, for his contributions to this article.