What California Employers Need to Do with the new California Privacy Rights Act
The California Privacy Rights Act (“CPRA”) will be enforced starting on January 1, 2023, and will expand privacy rights under the California Consumer Privacy Act (“CCPA”). The California Consumer Privacy Act [Prop 24 passed with California voters in November 2020] provides California employers some exemptions with respect to employment-related personal information, when that personal information is collected and only used in connection with the person’s role as an employee, applicant, dependent or spouse of an employee, beneficiary, independent contractor or owner. The CPRA expands upon and amends the CCPA, which has led to it being known as CCPA 2.0. However, it was on the ballot officially as Prop 24.
It appears the CCPA does not extend certain consumer rights like the CPRA, including the right to access or delete personal information, to employees. As reported in Law360.com, businesses subject to the CPRA will have to comply with obligations related to the processing of employee data.
What Kind of Data Breach Can I sue a Business for – OK Get Sued for under the CCPA?
You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:
- Your social security number
- Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
- Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
- Your medical or health insurance information
- Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)
This personal information must have been stolen in nonencrypted and nonredacted form.
CCPA Applies to Employers in California
The CCPA does not provide a blanket exemption for employment-related data. Employers are still required to adequately safeguard the personal information they collect and provide a notice of processing at or prior to the point of collecting the personal information to the individual employee. A practical example will be a Notice to Employees that we collect and maintain your pay and time data, health information, sick time and vacation data, as well as CaliforniaChoice and Cal-COBRA information, Banking information (for direct deposits) and retirement information for 401K plans, etc.
Employee data under the CPRA
Employers must prepare and provide a privacy notice to an employee and/or job applicant at or before the time personal information is collected.
This notice must include:
(1) the categories of sensitive personal information,
(2) whether that sensitive personal information is sold or shared, and
(3) the length of time the employer intends to retain each category of sensitive personal information.
If an employer allows a third party (such as Human Resources management software, PeopleSoft, Kronos, QuickbBooks, Microsoft [Think of Outlook collecting name, address, personal cell phone, and emails] or Clio) to collect personal information on its behalf, the CPRA requires that the third-party collector provides notice at collection. Along with providing notice that includes the consumer’s rights, who is collecting the data, and how and for what purpose such data is being collected, sold, used, or shared, an employer must also include the categories of all third parties that the employer discloses consumer personal information to, or that the employer allows the collecting consumer personal information.
Unless they can rely on an exemption, employers must honor consumer requests, such as the right to delete, know of, correct, access or opt out of both the sale and sharing of personal information, and limit the use and disclosure of sensitive personal information. In addition, employers must ensure they meet the requirements for data portability and non-discrimination with regard to consumer requests.
Businesses are now being required to enter into a data processing agreement with their vendors, all of them including to agency [overload it seems] require service providers, contractors, or other third parties that may have access to its personal information. This requirement applies regardless of the types of personal information processed, employment-related or otherwise. The data processing agreement must also include the following provisions:
- Identify the limited and specific business purposes and services for which the vendor will process personal information as set forth within the contract.
- Prohibit retaining, using or disclosing the personal information for any purpose other than those specified in the contract.
- Prohibit retaining, using or disclosing the personal information received for any commercial purpose other than the business purposes specified in the contract.
- Prohibit retaining, using or disclosing the personal information outside of its direct relationship between the vendor and the business and prohibit retaining, using or disclosing the personal information for any purposes other than the business purposes specified in the contact.
- Require that the vendors will comply with the applicable obligations under the CPRA and provide the same level of privacy protection as required.
- Require that the vendor notify the business if the vendor can no longer comply with the obligations under the CPRA.
- Grant the business the right to take reasonable and appropriate steps to ensure that the vendor uses the personal information in a manner consistent with the business’s obligations under the CPRA.
- Grant the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
- Require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with, and provide the information necessary for the service provider or contractor to comply with the request.
In addition to the requirements listed above, a business must include the following provisions:
- prohibit the sale and sharing of personal information; and
- require notification of any contractors engaged, and mandate that the contractors be contractually bound to the same processing obligations.
Businesses must safeguard the personal information against unauthorized disclosures and provide employees with the right to limit the use and disclosure of sensitive information.
Businesses are also required to conduct due diligence assessments, such as audits, on their vendors to ensure that they can process personal information in compliance with the CPRA.
What should employers do to get ready for the CPRA
Businesses should begin to implement the below recommended actions ASAP. Right now, the California Office of the Attorney General will be up in your grill with violations, and next, God Forbid, a new agency is being created. Imagine your client, or worse, your office, being the poster child for a new agency looking to draw blood on some hapless company that forgot to notify QuickBooks (Intuit), Microsoft or the local Schools First Federal Credit Union of its new requirements! Ouch!
This new law creates a new dedicated privacy agency, the California Privacy Protection Agency, to handle enforcement. It will be governed by a five-member board appointed by the Governor (appointing the Chair and one other member), the Attorney General, the Senate Rules Committee and the Speaker of the Assembly. These appointees must have expertise in the areas of privacy, technology and consumer rights (with some restrictions to help ensure that they remain free from external influence). How we measure “experience” and ensure they are “free from external influence” is still up for debate.
Board members cannot serve for more than eight (8) consecutive years and may be removed during that time by their appointing authority. For two (2) years after they leave the agency, they are also unable to work for any person or organization that currently has an issue before it or was subject to an enforcement action during the five-year period preceding the board member’s appointment. That does not restrict them from doing consulting work or working directly for a company that has not yet been audited but maybe “on the radar” which to us, leaves room for abuse.
Headed by a board-appointed executive director, this agency will be partially funded by enforcement actions with any administrative fines assessed or settlement proceeds going directly into the Consumer Privacy Fund. It will also receive an annual $10,000,000 (adjusted annually) from the General Fund. Your tax dollars at work.
Employers Must Learn and Manage their Data
Rather than yell at Junior sitting on the couch until 4 AM playing Call of Duty and Madden NFL 2023 4 AM you need to hire him as your new data consultant. If the terms Data wrangling (has nothing to do with cattle wrestling), Identity transform (has nothing to do with sex changes) and reusable transformation library, are all foreign to you, whip out your American Express Card as you and other businesses are going to have to pay to get complaint quickly. We never thought matching attributes (@*) and nodes would make its way into employment law.
To stay compliant with the CPRA, a business should know and understand what type of employment-related personal information it collects and processes. This can be accomplished by completing a data mapping exercise. This is not like Geocaching or even mapping a trial hike in Big Bear, this is some advanced stuff! See this Data Mapping explanation and a chart as an example, courtesy of Wikipedia..
In addition to data mapping [some vendors include – Manta, TerraTrue and Clarip No I have not been paid] , companies should review and update existing privacy impact and cybersecurity assessment programs. This step alone will provide useful insight on the type of data a business collects and processes, which could help remediate any privacy and security compliance gaps.
Hire Lawyers and Consultants and Understand the CCPA and CPRA
What was that last word of advice? Yes, hire lawyers and experts and vendors! Oh my! Businesses must gain a clear understanding of the CPRA consumer rights and their interaction with the CCPA. As the CPRA consumer rights are broader than the CCPA, it should be easier for larger companies to comply. Some examples of the CPRA’s requirements which allow consumers to request that a business (including a law firm):
- Correct personal information that is inaccurate;
- Limit its use of their sensitive personal information;
- Allow access to information about automated decision-making; and
- Provide an option to opt-out of such automated decision-making technology.
The rest of the consumer rights are similar to those found under the CCPA but are expanded or modified. California companies should also understand its obligations to respond and fulfill any consumer requests, whether or not they seem ridiculous.
The CPRA provides a business with exemptions that, if applicable, could exempt a business from having to fulfill a consumer request. Unlike the CCPA, which allows for its exemptions to be used only for certain consumer rights, the CPRA allows the use of the exemptions toward any of the consumer rights.
Along with understanding consumer rights, a business should also understand the new rights of its employees with respect to their personal information. So by creating or updating your business plan companies can manage the new employee rights and consumer requests obligations. A business should also incorporate and/or update its retention schedule for employment-related personal information – most are currently 7 years – and employee privacy notices to include CPRA notice requirements.
Review Vendors Agreements and Policies
California companies need to know what information vendors are collecting and processing. Each vendor agreement should include the appropriate data processing and information security terms and obligations. However, the law remains unclear on what smaller companies and firms, like us, can do if the necessary vendor fails to comply with its requirements. It appears we may all be entering the employee leasing business model where “everyone gets sued.” Microsoft has a data breach, so Company A (vendor) and Company B (service provider), and Company C (actual company with employees) all get sued.
We would also suggest to our California companies consider only doing business with US companies since defendants like Shopify (we are Canadian yeah? You bet ‘cha – United States District Court Judge Edward Chen stated that the US-based court does not have jurisdiction over the two entities since they are headquartered in Canada and France) they seem to avoid liability and a potential source of indemnification for your business under these scenarios. Comment dire – que c’est nul!
Review existing policies.
Finally, we suggest all companies review your employee handbooks, operation manuals, information technology policies and procedures, in particular those relating to the use of personal devices for work purposes, lest they be in the cross-hairs of California.
In today’s modern world, employees may conduct certain business functions on their personal devices, via certain applications like Slack, Outlook, Teams, Zoom, and even QuickBooks (Bill! Bill! Bill!). This can be considered “collecting and processing personal information” and needs to be addressed now or at the latest in 2023 when this legislation takes effect.
If you have any questions about this article, Employee handbooks (we write them too), or have issues with unpaid wages, commissions, company charges to your wages, business expenses, off-the-clock work, or any issues with your pay at your current or former employer, please feel free to contact:
Richard E. Quintilone II, Esq. Kyle Gallego Esq. or Jeffrey T. Green, Esq.
Quintilone & Associates 22974 El Toro Road, Suite 100 Lake Forest CA 92630
Phone 949.458.9675 619.709.7999 Fax 949.458.9679 Email req@quintlaw.com; kjg@quintlaw.com or jtg@quintlaw.com web www.quintlaw.com