On January 1, 2023, the California Consumer Privacy Act (CCPA) will be replaced by the California Privacy Rights Act (CPRA), which contains various requirements for businesses, including a set of opt-out requirements and controls on sensitive personal information such as precise geolocation, race/ethnicity, government identifiers, and email content. One of the key changes in the CPRA will be the expiration of CCPA’s employee data exception, originally set to expire in 2021 but extended to 2023 to coincide with CPRA’s entry into force.
This means that beginning on January 1, companies subject to the CPRA will need to begin treating the data of their Californian job applicants, consultants, and employees as personal information protected by California law. Even if your company is otherwise prepared for the CCPA with respect to your customer data, you should consider impacts on California employees. Companies should especially consider the following to the extent these issues have not been considered already:
- Ensure that your HR service provider contracts contain critical provisions. Now that employee data is covered by CPRA, you will need to ensure that HR vendor contracts contain the same provisions as other vendor contracts to avoid inadvertently creating a data ‘sale’. Critically, contracts should include appropriate use limitations for the data and a compliant scheme for disposal of the employee data at the end of the vendor’s engagement.
- Consider the approach to employee data subject requests. You may need to offer data rights to employees, including the right to access, correct, and delete employee data unless an applicable exception applies. In providing these rights, you will need to carefully balance the requirements of the law against its exceptions and your own corporate legal interests.
- Consider implications on insider threat programs, employee surveillance, and other topics: CPRA also introduces new requirements regarding the use of sensitive personal information (such as the requirement to provide an opt-out). Since sensitive personal information can include communications, employee monitoring may also be impacted. You will need to carefully consider whether your business will need to make changes to any automated insider threat detection or employee surveillance programs.
If you have any questions about this update, please contact Michael Young.