e-Alert: California Privacy Rights Act: Creating and Posting a Privacy Policy for HR Data

Summary

Effective January 1, 2023, the CPRA will require employers to comply with two types of notice requirements. The first requirement is the notice at collection, which HRK outlined in a previous e-Alert. The second notice requirement is a privacy policy that details the handling of HR data and must be posted online or on the employer’s website.

The CCPA previously exempted the data of employees, applicants, independent contractors, dependents, and other HR individuals from the majority of its requirements. However, the CPRA sunsets this exemption of HR data and imposes new obligations for handling personal information to include a privacy policy.

The privacy policy must disclose the following information:

• Personal information collected by the employer during the preceding 12 months;
• Sources from which the personal information is collected;
• The business or commercial purposes for collecting, selling, or sharing that personal information;
• Third parties to which personal information is disclosed;
• The categories of personal information sold or shared for purposes of cross-context behavioral advertising in the preceding 12 months;
• Personal information disclosed for a business purpose in the preceding 12 months; and
• The individual’s CPRA rights and how to exercise those rights, which includes a toll-free telephone number and at least one other method for submitting requests.

While this list may look familiar to the requirements of the notice at collection, there a several important differentiations:

1. The privacy policy is retrospective and provides details regarding the employer’s information handling during the prior 12 months. The notice at collection is prospective.
2. The notice at collection may include the personal information being collected at the time of notice, whereas the privacy policy is an inclusive document that will itemize how the information is handled
3. The privacy policy is not required to include information about data retention.

Opt-Out Options

Typically, employers do not sell or share HR data with third parties in exchange for monetary consideration or advertising purposes. For such employers, the privacy policy should include a conspicuous statement disclosing they have not sold or shared personal information in the prior 12 months. For employers that do share or sell such personal information, a link should be included on the privacy policy where the individual may opt out. Furthermore, if the employer infers characteristics from sensitive personal data and uses or discloses the information beyond operational purposes outlined by the CPRA, the privacy policy must include a notice and provide individuals the option to opt out.

Distribution of the Privacy Policy

The law requires employers to post the privacy policy:

1. In the company’s online privacy policy and any California-specific description of an individual’s privacy rights (i.e.: in combination with the notice at collection); or
2. On its internet website
   • Note: The CPRA does not currently define “online,” therefore it could be assumed that an organization’s intranet is acceptable. Keep in mind that applicants would not have access to an employer’s intranet. If using this approach, a separate privacy policy would need to be posted on a career/job posting website or similar forum.

Updates and Maintenance of the Privacy Policy

The privacy policy must be updated annually and “at least once every 12 months.” Employers may create and maintain an annual review process to ensure changes in the company’s data handling practices are updated for any material change.

Employer Next Steps