The California Privacy Rights Act (CPRA) will take effect on Jan 1, 2023, and is described as the “most significant change in workplace privacy laws in U.S. history.” Here’s what employers should know.
Employee data rights
Essentially, employees (and applicants, contractors, emergency contacts, beneficiaries, board members, and more) will have the same data privacy rights as consumers under the California Consumer Privacy Act. This means they may request to see the personal information their employers have collected about them and request that this data be corrected or deleted.
Additionally, employees have the right to request what personal information about them has been shared and with whom. They may also tell their employers not to sell or share their personal information and limit how their employers use it.
Finally, business-to-business transactions are also subject to the CPRA.
Employers must inform employees about these rights
Employers must formally notify their employees, independent contractors and job applicants about the new rights under the CPRA. In addition to allowing employees to exercise these rights, employers must also respond to an employee’s information request within a set time period, documenting each request.
Employers may receive hundreds of resumes or applications for an open position but may only contact and interview a few of those applicants. However, the employer still needs to provide some notices at the point of collection to all applicants, even those it never contacts. Providing this notice may not be difficult for applications or resumes submitted through the employer’s website. Job postings sent to a third-party job board such as LinkedIn may need a link to the employer’s notice.
Another important step for employers will be reviewing their contracts with employee/applicant data service providers, such as a payroll processor. As you may know, service provider contracts must include specific provisions in order to retain service provider status. Employers will want to review contracts with service providers that process employee/applicant/contractor data to ensure they contain the required provisions.
“Personal information” and “sensitive personal information”
The CPRA clarifies the difference between personal and sensitive personal information (e.g., social security number, driver’s license number, state ID card and/or passport details) and illustrates the extra care that must be taken with sensitive personal information.
Prepare for compliance
Jan 1, 2023 is not far off. If you haven’t already, employers should start preparing to comply with these new laws as soon as possible.
Yet to be established is how often employers must inform employees of their data privacy rights (just one time, once a year, once every five years?) and how detailed these disclosures should be. For example, would the right to correct data encompass past performance reviews and emails between management discussing the employee’s performance?
Consult your attorney if you’re unsure how to address compliance with these new laws.