e-Alert: California Privacy Rights Act: “Notice at Collection Requirement

Summary

Covered Employers

CPRA applicability goes beyond just employers located in California. Instead, it is based on revenue and whether the organization handles personal information, which is defined broadly. Employers who fall into one or more of the following categories must comply with the “Notice at Collection” requirements:

• Had a gross annual revenue of at least $25 million in the previous calendar year; or
• Annually collects, stores, discloses, or otherwise uses the personal information of 100,000 California households or residents; or
• Obtains 50% or more of its annual revenue from sharing or selling the personal information of California residents

Content and Timeline

The notice must be distributed to employees at or before the time the information is collected by the employer which must include the following:

• Categories of information that are being collected
  • Personal Information
  • Sensitive Personal Information
• Purposes of use for each category
• Intent to sell or share information with a third party
• Retention Schedule

If a category of information is used in a different capacity than what the notice originally outlined, a new notice must be created and distributed to the affected employees.

Expanded Sensitive Personal Information Category

The CPRA’s definition of sensitive personal information includes several categories of information, some of which employers may already treat as confidential, including:

• Social security numbers
• Driver’s license/state identification cards
• Passport numbers
• Financial account or credit card numbers
• Genetic data
• Health information

Generally speaking, the contents of job applications, employee personnel records, employee tracking, and employee communications are all “personal information” under the CPRA.

The CPRA adds to the category of sensitive personal information by including any information that reveals an employee’s:

• Racial or ethnic origin
• Religious of philosophical beliefs
• Union membership
• Precise geolocation
• Sex life or sexual orientation and/or
• Mail, email, or text messages*

*Mail, email, and text messages that are intended for business use are not required to be included in the notice.

It is worth noting that if the expanded list of sensitive personal information categories is not collected or used by the employer for purposes of drawing inferences about its workforce, it can be listed as personal information within the other categories of personal information. Employers should audit their categories of information with an eye on this differentiation until final regulations are released.

Intent to Sell or Share Information with a Third Party

As most employers do not share personal information, the simplest course of action is for employers to declare that they will not share or sell personal information to third parties. However, should employers decide to sell or share information with a third party, they will be required to comply and must provide employees with the following three options:

• Comprehensive opt-out from sale and/or sharing of Personal Information, including limiting the use of sensitive personal information
• Option to limit the use of sensitive personal information
• Do not sell/Do not share/Do not share personal information for the purposes of cross-context behavioral advertising

Retention Schedule

The notice must include the scope of time for which the company intends to retain the collected information. While employers do not need to separate out each individual piece of data into separate retention schedules, employers must determine how long they will retain the information to satisfy this piece of the notice requirement. If any information is collected for the purpose of “inferring characteristics” about its employees, those retention details must be defined separately.

Employer Next Steps

• Continue to monitor final regulations for the CPRA, which will be issued by California’s Attorney General Office no later than July 1, 2022
• Given the amount of information needed to be disclosed, employers doing business in California or recruiting in the state should start taking steps now to compile the data; this may mean working with other teams such as finance or marketing.
• Assess the categories of sensitive personal information being collected about employees, job applicants, and contractors to determine how it is being used in preparation for notice requirements
• Obtain, create, and/or revise the data retention philosophy based on federal, state, and CPRA retention guidelines
• Assess the nature of data transfers to third parties
• For multi-state employers, decide if you want to comply with California state law across your entire workforce
• If you already have gone through a data mapping exercise for the General Data Protection Regulation (GDPR), or CCPA compliance in relation to consumer data, this is effectively the same exercise for CPRA.
• If you are a Full-Service or Virtual HR client and have questions about this e-Alert, please email us