CPRA Employee Data Obligations

What is the CPRA?

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot. 56% of California voters favored the law as it amends and strengthens consumer data privacy rights granted by the CCPA in 2018.

Most notably, the CPRA grants new privacy protection rights to the employees of covered businesses. The exemption for employee data (originally provided by the CCPA) is scheduled to end on the same day as when the CPRA becomes effective i.e January 1st, 2023. CPRA’s enforcement will begin six months later, on July 1, 2023.

Organizations will have additional obligations to treat employee and consumer personal information similarly when the CPRA goes into effect. It is expected that the California Privacy Protection Agency (CPPA), the exclusive regulator and enforcement body set up by the CPRA, shall enact regulations that will adapt the CPRA requirements and business obligations towards employee data.

The new Employee rights under the CPRA

The CPRA grants the following DSR rights to employees concerning their Personal Information:

• The right to access (Section 1798.105) - Employers must provide all PI data, including its categories, sources, collection purposes, retention periods, and third-party disclosures/sales to employees when requested.
• The right to delete (Section 1798.106) - Employers must honor employees’ request to delete their PI data. For example, employees may ask organizations to delete their personal information after resigning and leaving the organization.
• The right to correct (Section 1798.110) - Employers must allow employees to rectify inaccurate or obsolete PI data. For example, they may ask the organization to correct any inaccuracies in their employee record.
• The right to opt-out of the sale/sharing of PI (Section 1798.115) - Employees now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.
• The right to limit the disclosure of sensitive PI (Section 1798.120) - Employees may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.
• The right to access information on automated decision-making (pending regulations) (Section 1798.130) - Employees will have the right to request information about automated decision-making processes based on their personal information. Employees may also request a description of the likely outcomes that will result from these processes.
• The right to opt-out of automated decision-making (pending regulations) (Section 1798.135) - Employees may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”
• The right to non-discrimination (Section 1798.185 and Section 1798.145(m)) - This means that organizations are not allowed to retaliate or discriminate against their employees for exercising their CPRA rights.

Businesses’ obligations toward Employee Personal Information

Notice Requirement before Collection of PI and SPI
(CPRA Section 1798.100(a)/(CCPA Section 1798.100(b))

Similar to the CCPA requirement for notice which is applicable to employers right now, (despite the general exemption on employee data), as per the CPRA, businesses must also notify employees before or at the point of collection of their personal information (PI) or sensitive personal information (SPI). The notice must include the following details:

• The categories of PI to be collected;
• The purposes for which the PI is to be collected;
• Whether the collected PI is sold or shared - the employee must be given the option to opt-out;
• The retention period of keeping their PI or the method used to determine a reasonable period.

Restriction on collection/use of PI beyond the information provided in the Notice
(CPRA Section 1798.100(a) (CCPA Section 1798.100(b))

Businesses must not collect additional PI/Sensitive PI or use the already collected PI/Sensitive PI of employees for any purpose that is incompatible with the earlier disclosed purpose unless they provide a new notice to the employee.

Transparent Privacy Policy
(CPRA Section 1798.130)

The CPRA requires employers to provide a transparent and accessible privacy policy to their employees or a California specific portion within their existing policy which should contain the following information:

• A list of the categories of PI it has collected about its employees in the preceding 12 months;
• Categories of sources from where it has collected employees’ PI;
• Business or commercial purpose for collecting, selling or sharing employees’ PI;
• Whether the business sells or shares employees’ PI or discloses it for a business purpose;
• If the business sells or shares employees’ PI, a list of the categories of personal information it has sold or shared about employees in the preceding 12 months;
• If the business discloses employees’ PI, a list of the categories of employees’ PI it has disclosed about employees for a business purpose in the preceding 12 months;
• Categories of third parties to whom business discloses employees’ PI;
• Employees' data privacy rights under the CPRA and the method to exercise them.

Regular Risk Assessments
(CPRA Section 1798.185 and 1798.145(m))

The CPRA also requires organizations to conduct regular risk assessments to evaluate the privacy risks of processing activities. One of the factors that can be used to evaluate a processing activity is the use of employees’ sensitive PI data. All assessments must weigh the privacy risks of the processing activity against the benefits that are provided. This assessment then needs to be submitted to the CPPA.

Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This will allow the organization to conduct timely risk assessments and identify problem areas quickly.

Other Employee Data obligations of the Organization

Implement Reasonable Security Controls
(CPRA Section 1798.100(e) and Cal Civ Code 1798.81.5 read with CPRA Section 1798.150 (CCPA Section 1798.150))

Businesses must take reasonable and appropriate security practices to protect employees’ PI. Failure to undertake reasonable and appropriate security measures which result in a breach of the employees’ PI (or employee account and password details) may make the business liable to a private right of action. This action can range from $100 to $750 in statutory damages (or actual damages). However, the business has a period of 30 days after receiving the mandatory notice to remediate the issue.

Breach Notification
(CPRA Section 1798.150 (CCPA Section 1798.150), Cal Civ Code 1798.81)

Businesses must notify employees of any breach of unredacted/unencrypted PI (or employee account and password details). Businesses must also notify employees if they encrypted the PI, but the encryption key/security credential is compromised. The notification should be made as soon as reasonably possible. This does not include the time taken to understand the breach’s scope and regain reasonable integrity of the system.

Contracts to carry forward protections
(CPRA Section 1798.100(d) and Section 1798.145(m))

Businesses must enter into contracts with the third-party, service provider, or contractor with whom it sells or shares employees PI with, to ensure: 

• The PI of employees is sold/shared for a limited and specific purpose,
• The third-party, service provider or contractor provides a similar level of privacy protection to employee PI,
• The third-party, service provider or contractor notifies the business if it cannot provide the same level of protection to employee PI,
• The business can take steps to remediate employees’ PI if a third party, service provider, or contractor fails to uphold their obligations.