CPRA Brings Big Changes To Perceived Big Brother Employers – Privacy Protection – United States – Mondaq

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
Seyfarth Synopsis: Employers need to be aware and prepare for significant changes to options and rights afforded to employees with respect to their private data and information coming with the California Privacy Rights Act's (CPRA) January 1, 2023, operative date. Employers will have significant obligations when the grace periods for HR and business to business (B2B) data expire on that date.
In November 2020, California residents voted to pass the CPRA, which gives California consumers heightened rights and control over their personal information. Until recently, the older privacy statute, the California Consumer Privacy Act (CCPA), has basically been a floater for California employers, with minimal obligations being enforced, as we previously blogged about.
The current obligations are limited to providing employees (or job applicants, contractors, or other workers) with a notice of collection and reasonably safeguarding their personal information, due to a partial exemption under the CCPA for information collected in the context of employment.
But, these privacy protections are about to go from floater status to Head of Household on January 1, 2023, when the partial exemption for employers under the CCPA will expire. Although legislation was proposed to extend the exemption for employers until at least January 1, 2026, the last day on which the California legislature could have passed those bills into law was August 31, 2022—now the business to business (B2B) and HR exemptions have been evicted from the law and employees will be able to leverage their new privacy rights in several new ways, including in the context of disputes.
California employees of covered employers will have increased rights as of January 1, 2023, and accordingly, their employers will have increased compliance obligations. These new rights include, among others:
Employers will need to evaluate employee requests to exercise their rights to determine their obligations under the CPRA, as employers have certain bases to deny employee requests.
For example, if an employee wants to exercise their right to deletion, the employer could rightfully deny that request to the extent that certain personal information is required to carry out the employment relationship (to process payroll, provide benefits, etc.). Or, employers could deny the request because of statutory requirements that dictate the retention of certain employment related information, such as demographic and pay information that must be the subject of regulatory reporting.
Also, the right to rectification can also be significantly limited to certain personal information that can be verified. So, while it would be reasonable for an employee to change their address, it may not be reasonable without backup documentation for them to change their Social Security number or taxation information. Employers are also still allowed to utilize data to enable solely internal uses that are reasonably aligned with the expectations of the employee based on their relationship with the employer.
However, in the wake of employee requests, covered employers must keep in mind that the CPRA prohibits discrimination against employees for exercising their rights under CPRA—so be careful if these individuals are selected to go on the block.
Before year's end, there are a number of steps that employers should take to prepare for their new obligations. Organizations should consider the following when determining whether they are CPRA ready:
This is a significant change for California employers that may require a re-assessment of how personal data is handled and maintained, policy and procedure changes, or even a complete overhaul of privacy and cybersecurity activities. Wise employers won't be caught as a have-not and will begin these initiatives now in order to meet the deadlines January 1, 2023, deadline.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
  © Mondaq® Ltd 1994 – 2022. All Rights Reserved.

Passwords are Case Sensitive

Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.