The California Privacy Rights Act (CPRA), which will go into effect on January 1, 2023, applies to consumer information collected on or after January 1, 2022. The CPRA significantly expands California’s current privacy laws under the California Consumer Privacy Act (CCPA). The three main areas for compliance are notice, employee rights, and data governance requirements. Covered employers will need to provide a privacy notice, or “notice at collection” that explains how the organization will use, disclose, and retain personal data (HR-related information for example) it obtains. The content of this new notice is much more detailed than the notice obligation already in place under the CCPA.
CPRA applicability goes beyond just employers located in California. Instead, it is based on revenue and whether the organization handles personal information, which is defined broadly. Employers who fall into one or more of the following categories must comply with the “Notice at Collection” requirements:
- Had a gross annual revenue of at least $25 million in the previous calendar year; or
- Annually collects, stores, discloses, or otherwise uses the personal information of 100,000 California households or residents; or
- Obtains 50% or more of its annual revenue from sharing or selling the personal information of California residents
Content and Timeline
The notice must be distributed to employees at or before the time the information is collected by the employer which must include the following:
- Categories of information that are being collected
- Personal Information
- Sensitive Personal Information
- Purposes of use for each category
- Intent to sell or share information with a third party
- Retention Schedule
If a category of information is used in a different capacity than what the notice originally outlined, a new notice must be created and distributed to the affected employees.
Expanded Sensitive Personal Information Category
The CPRA’s definition of sensitive personal information includes several categories of information, some of which employers may already treat as confidential, including:
- Social security numbers
- Driver’s license/state identification cards
- Passport numbers
- Financial account or credit card numbers
- Genetic data
- Health information
Generally speaking, the contents of job applications, employee personnel records, employee tracking, and employee communications are all “personal information” under the CPRA.
The CPRA adds to the category of sensitive personal information by including any information that reveals an employee’s:
- Racial or ethnic origin
- Religious of philosophical beliefs
- Union membership
- Precise geolocation
- Sex life or sexual orientation and/or
- Mail, email, or text messages*
*Mail, email, and text messages that are intended for business use are not required to be included in the notice.
It is worth noting that if the expanded list of sensitive personal information categories is not collected or used by the employer for purposes of drawing inferences about its workforce, it can be listed as personal information within the other categories of personal information. Employers should audit their categories of information with an eye on this differentiation until final regulations are released.
Intent to Sell or Share Information with a Third Party
As most employers do not share personal information, the simplest course of action is for employers to declare that they will not share or sell personal information to third parties. However, should employers decide to sell or share information with a third party, they will be required to comply and must provide employees with the following three options:
- Comprehensive opt-out from sale and/or sharing of Personal Information, including limiting the use of sensitive personal information
- Option to limit the use of sensitive personal information
- Do not sell/Do not share/Do not share personal information for the purposes of cross-context behavioral advertising
The notice must include the scope of time for which the company intends to retain the collected information. While employers do not need to separate out each individual piece of data into separate retention schedules, employers must determine how long they will retain the information to satisfy this piece of the notice requirement. If any information is collected for the purpose of “inferring characteristics” about its employees, those retention details must be defined separately.
Employer Next Steps
- Continue to monitor final regulations for the CPRA, which will be issued by California’s Attorney General Office no later than July 1, 2022
- Given the amount of information needed to be disclosed, employers doing business in California or recruiting in the state should start taking steps now to compile the data; this may mean working with other teams such as finance or marketing.
- Assess the categories of sensitive personal information being collected about employees, job applicants, and contractors to determine how it is being used in preparation for notice requirements
- Obtain, create, and/or revise the data retention philosophy based on federal, state, and CPRA retention guidelines
- Assess the nature of data transfers to third parties
- For multi-state employers, decide if you want to comply with California state law across your entire workforce
- If you already have gone through a data mapping exercise for the General Data Protection Regulation (GDPR), or CCPA compliance in relation to consumer data, this is effectively the same exercise for CPRA.
- If you are a Full-Service or Virtual HR client and have questions about this e-Alert, please email us
The People Simplifying HR
For almost twenty years, HR Knowledge has made it our mission to demystify the complex and daunting process of HR management. We do more than just provide the level of service and technology you’d expect from an industry leader. We combine an unparalleled passion for service with our decades of HR, payroll, and benefits experience to provide our clients with personalized and actionable advice that is second–to–none. From managed payroll to employee benefits to HR support, we can help your organization thrive, grow, and reduce operating costs—no matter what industry you serve. Whether you’re interested in our Full-Service solution or just need your employee handbook written, HR Knowledge can help you minimize risk while staying on top of compliance regulations. The bottom line? We’re not just another cloud-based technology company that also does HR, #WeAreHR. Get the scoop on how we can help you simplify HR.
This content is provided with the understanding that HR Knowledge is not rendering legal advice. While every effort is made to provide current information, the law changes regularly and laws may vary depending on the state or municipality. The material is made available for informational purposes only and is not a substitute for legal advice or your professional judgment. You should review applicable laws in your jurisdiction and consult experienced counsel for legal advice. If you have any questions regarding this content, please contact HR Knowledge at 508.339.1300 or email us.