In most contexts, employees should have a low expectation of privacy in the workplace. Their computers, desks, and other common areas may be subject to strict company control and their conduct subject to workplace policies. But as we will discuss in an upcoming two-part series on The Performance Review (Greenberg Traurig’s California Labor and Employment Podcast), there are many aspects of employee privacy and related laws, of which California employers must be aware. One such area with rapidly approaching deadlines, is the California Privacy Rights Act (“CPRA”).
In November 2020, Californians voted in favor of the CPRA, further expanding employee and consumer privacy rights for California residents. Following consumer privacy trends like Europe’s Global Data Privacy Regulation, California has been on the move to enhance privacy, not just for consumers, but for employees. The CPRA amends the California Consumer Privacy Act (“CCPA”), which the California legislature passed in 2018 and went into effect January 1, 2020. Unlike the CCPA, which was amended in 2019 to have a limited application to employees, job applicants and independent contractors, the CPRA will extend various individual rights to employees, job applicants and independent contractors. Consequently, employers subject to the CPRA will need to start preparing in the near future to ensure they have the necessary procedures, policies and contract amendments in place by the CPRA’s January 1, 2023 effective date.
What Is the CCPA?
In general, the CCPA was enacted to enhance the privacy rights of California residents by providing them with notice of how their personal information is being processed, the purpose for such processing, and allowing them greater control of their personal information. While the CCPA provides California residents the right to access, to deletion and to opt-out of “sales” of their personal information, it did not extend most of these rights to California employees. It did, however, expand employee rights in two significant ways: (1) it requires mandatory privacy notices and disclosures about the data collected by employers and purpose for collection; and (2) it provides for statutory damages ranging from $100 to $750 if certain personal information is breached. Further, the CCPA requires businesses to have “reasonable security procedures and practices” in place to protect their California employees’ personal information.
Which Employers Are Subject to the CPRA?
The CPRA amends the CCPA’s definition of a covered “business” to minimize its impact on small to medium sized businesses. The CPRA applies to for-profit organizations that collect personal information on California residents, determine the purposes and means of processing the personal information, do business in California and satisfies one of the following thresholds:
(1) as of January 1, had annual gross revenues in excess of $25 million in the preceding calendar year; or
(2) buys, sells or shares the personal information of at least 100,000 California consumers or households; or
(3) derives at least fifty percent of its annual revenue from selling or sharing consumers’ personal information.
It is important to note that an employer does not need to have a physical location in California to be subject to the CPRA, but rather it must only satisfy the definition above.
What Is the CPRA and How Does It Impact the CCPA?
The CPRA materially amends the CCPA by adding a number of provisions to expand employee privacy rights. However, like the CCPA, the CPRA does not apply to personal information collected from an individual acting as a job applicant, an employee, owner, director, officer, staff member or contractor, with regard to benefits administration and maintenance of emergency contact information.
New Business Definition. Although it contains many of the same definitions as the CCPA, the CPRA changes one of the thresholds for an entity to meet the definition of a “business” subject to the law – in that it changes threshold from 50,000 to 100,000 or more consumers or households, and removes devices from the threshold.
Sensitive Personal Information Definition. The CPRA includes “sensitive personal information” as a defined term and requires businesses provide notice to employees when such information is processed, the purposes for the processing, whether the information will be sold or shared, and the length of time the business intends to retain each category of sensitive personal information. The term is broadly defined to include social security and driver’s license numbers, financial account information, credit card numbers, account passwords, geolocations, genetic data, biometric information, records of products purchased, internet browsing history, and content of emails and text messages. See Cal. Civ. Code §1798.140(ae).
Individual Rights. The CPRA also provides for new and modified individual rights, which impact employees. It imposes restrictions and requirements on personal information, including disclosure requirements, opt-out requirements, opt-in consent for use and disclosure, and limitations on purposes for which information may be used. For example, the CPRA includes a right to correction, whereby consumers may request corrections to personal information if it is inaccurate. It provides a right to opt out of the use of automated decision-making technology (including profiling in connection with decisions related to work performance, economic status, health, personal preferences, location or movements). It also provides the right to restrict or limit the use and disclosure of sensitive personal information for secondary purposes, such as prohibiting businesses from disclosing certain information to third parties.
Flow-down Provisions. The CPRA also contains flow-down provisions that require employers to understand how third parties use, share and secure consumer data. Employers should identify third parties and vendors that receive their employee or applicant personal information (e.g., payroll companies, health/benefits/wellness providers, HR consultants, staffing agencies, etc.) and conduct vendor inquiries and diligence about how those third parties use, share and secure the employee personal information. The CPRA requires businesses with such vendors to enter agreements to ensure compliance with the CPRA, including the right to, upon notice, take reasonable steps to remediate unauthorized use of personal information.
Data Retention. The CPRA requires businesses to inform California residents of the length of time they will retain each category of personal information and sensitive personal information or the criteria used to determine that period.
Expanded Right of Action for Breach of Login Credentials. Moreover, the CPRA expands the types of data breaches for which a California resident can recover statutory damages to include breaches of personal online login credentials (such as passwords or security questions that permit access to an online account). The existing right to recover statutory damages, particularly when coupled with this expansion, provides covered employers a strong incentive to enhance their security measures.
Yeah, But, What if We Don’t Comply?
Failure to comply with the CCPA (and later the CPRA) can carry significant fines. The CCPA currently charges the Office of the Attorney General (OAG) with issuing regulations and enforcing the CCPA. The OAG can bring civil actions to enforce the law and impose penalties up to $7,500 for intentional violations and $2,500 for unintentional violations. The CCPA also contains a private right of action, allowing for $100 to $750 in damages for each incident of breach. These penalties can add up quickly, particularly in a class action context. There is, however, a 30-day cure period in which an employer can cure a violation and provide an express written statement that the violation has been cured, to avoid penalties. Cal. Civ. Code §§1798.150(b); 1798.155(b).
Under the CPRA, the 30-day cure period no longer applies to general violations of the law, but rather only as a means of preventing individual or class-wide statutory damages as part of a private right of action for security violations. In addition, the CPRA creates a new enforcement mechanism and establishes the California Privacy Protection Agency (CPPA). The CPRA expands rulemaking and enforcement power to the CPPA, which includes the authority to require businesses to submit annual privacy and security risk assessments and to audit those assessments. The CPPA will be governed by a five-member board, which was appointed in March.
When Does the CPRA Go into Effect?
The CPRA will become operative on January 1, 2023, and enforcement actions are slated to begin on July 1, 2023. However, it is important to recognize that the CPRA includes a one year “look back provision” which requires that when a business receives a request on January 1, 2023 (the day the law goes into effect), it must be prepared to provide responsive information going back to January 1, 2022. With these deadlines looming, California employers should prepare their CPRA compliance workplans as soon as possible, and begin taking the necessary steps to come into compliance.
How Do Employers Prepare for the CPRA?
It will take most businesses at least 12 months to become substantially compliant with the CPRA. With the CCPA already in place, employers should already be on the move to update their privacy compliance practices. However, below is a checklist to help build effective privacy and security programs to prepare for the CPRA:
- Determine if your organization is a covered business under the CPRA.
- Create a team consisting of members from HR, Legal, Compliance and IT to lead your CPRA compliance project.
- Map and classify personal information and identify sensitive personal information.
- Revise (or develop) workforce disclosures to include new definitions and rights.
- Develop workforce request workflows for rights to access, correct, opt-out of sharing and sales, and delete personal information.
- Put in place contractual provisions with workforce vendors including diligence and contractual indemnity.
- Develop, enforce and audit document retention policies.
Although new rulemaking may impact the exact confines of the CPRA, employers should create a plan now and start to take the necessary steps to come into compliance as 2023 will soon be upon us. And be on the lookout for Greenberg Traurig’s upcoming podcast, where we will discuss employee privacy rights, including those under the CPRA, among several other aspects of workplace privacy.