United States: Employers must prepare now for new California employee privacy rights

In brief

Employers will have to disclose that they have been "selling" personal information of California employees under the California Consumer Privacy Act (CCPA), unless they update commercial contracts with service providers and other business partners effective 1 January 2022. Also, employers should tighten their data retention and deletion protocols, because CCPA requires data minimization and California employees are gaining broad data access, portability, and correction and deletion rights. Deployments of Artificial Intelligence, employee monitoring software, and automated decision-making are coming under increased scrutiny, too, pursuant to CCPA. Employers face these new requirements in addition to an existing obligation under CCPA to issue privacy notices to employees, which has applied since 1 January 2020 and required an update when the California Privacy Rights Act of 2020 (CPRA) took effect on 16 December 2020.


Background on CPRA and CCPA

CCPA was originally introduced as a ballot initiative in 2018, focused on consumer privacy but with broad requirements also for employers. After a compromise with the legislature in the summer of 2018, CCPA was enacted as a statute to take effect on 1 January 2020, with a temporary carve-out for employee information. The legislature amended CCPA several times and its original proponents launched a second ballot initiative in 2020 on CPRA, which passed at the general election and extended the temporary carve-out for employee information until 1 January 2023. At that time, business will be fully subject to CCPA requirements concerning all personal information - including information of consumers, employee and individual representatives of corporate business partners. Among other things, businesses will have to disclose whether they have been "selling" or "sharing" personal information in the preceding 12 months, i.e., after 1 January 2022. 

CCPA Changes

Key CPRA revisions include a new definition of "sensitive personal information" and detailed obligations regarding the processing of sensitive personal information for non-essential purposes; a new and counterintuitive definition of "sharing" personal information and related restrictions aimed at the digital advertising industry; new data subject rights to correct inaccurate information and opt-out of the use of automated decision-making technology; new requirements to include data protection and processing terms in contracts with data recipients and vendors; new requirements regarding what privacy notices must include and how they must be furnished to data subjects; and the establishment of a new privacy authority, the California Privacy Protection Agency. For more details, see here

Statutory Notice Requirement

According to the revised Cal. Civ. Code §§1798.100(a), 1798.145(m)(3), businesses have to provide job applicants, employees and other workers with an expanded privacy notice that includes certain details not currently required under CCPA, including the categories of sensitive personal information it collects and how long it retains personal information.

1798.100. (a) A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to:

  1. the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice consistent with this section.   
  2.  if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used and whether such information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected, without providing the consumer with notice consistent with this section.
  3.  the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period, provided that a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

Effective Date

Cal. Civ. Code §1798.145(m)(3) takes effect immediately pursuant to Section 31(b) of the CPRA. The changes to Cal. Civ. Code §1798.100 are delayed until 1 January 2023. Californians for Privacy, the proponents of ballot initiative 24 that launched CPRA stated at a recent conference that they intended the cross-reference in Cal. Civ. Code §1798.145(m)(3) point to the revised Cal. Civ. Code §1798.100(a), which expands notice requirements. The currently applicable version of §1798.100(a) contains an obligation on businesses to disclose specific pieces of personal information to consumers on request; this obligation is deferred until 1 January 2023 with respect to employee data.

Avoid Harmful Side Effects

When California employers update their employee privacy notices, they have to be mindful of setting or negating privacy expectations. If employers issue privacy notices to employees and job candidates that merely list the categories of information required by CPRA, the recipients of such notices may develop limited privacy expectations that could later hinder employers in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives (see here for more on monitoring employees).  

Record Retention and Data Deletion

When employees and job candidates gain data access, portability, correction and deletion rights on 1 January 2023, California employers will face similarly difficult situations as they have been encountering in the EU under the GDPR since 2018. CCPA covers much more than employee files. Any email, spreadsheet, contract or other document that refers to a California-based employee constitutes "personal information," which may have to be discovered and produced in response to an access request, free of charge. To keep track of where information is stored and at the same time reduce the amount of data that is potentially subject to data access requests, employers should work on tightening their data retention and deletion protocols. This will help employers also to comply with the new data minimization requirements contained in California Civil Code §1798.100(c): 

A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes. 

Outlook and Practical Guidance

The newly established California Privacy Protection Agency has started the process of drafting regulations by 1 July 2022 specifying how certain requirements under the revised CCPA apply. Most large and medium-sized companies that do business in California will be impacted. Compliance with the European Union General Data Protection Regulation (GDPR) or other jurisdictions' privacy or data protection laws is not sufficient to meet requirements under the revised CCPA, which are prescriptive and require companies to use counterintuitive terminology on website links and in privacy notices. For example, the revised CCPA defines "sharing personal information" to mean disclosing personal information for cross-context behavioral advertising purposes, and imposes onerous technical requirements on businesses that "share" or "sell" California residents' personal information with other parties. Employers that inform employees that they do not "sell" their personal information or "share" it for cross-context behavioral advertising, must also urgently update all vendor agreements to back up such representations. 

For more details see, Lothar Determann, California Privacy Law, and Determann's Field Guide to Data Privacy Law.

 

This article was originally published in the January 2022 edition of LegalBytes, which can be found here.

Contact Information
Lothar Determann
Partner at BakerMcKenzie
Palo Alto
lothar.determann@bakermckenzie.com

Copyright © 2022 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.