On January 1, 2020, the California Consumer Privacy Act (CCPA) became effective and created an array of protections for consumers regarding data privacy rights while creating business obligations related to the collection and sale of personal information—codifying California Civil Code § 1798.100, et seq. It followed in the footsteps of the EU General Data Protection Regulation (GDPR) governing data protection. The CCPA was initially a less strict version of the GDPR.
The California Privacy Rights Act (CPRA), however, approved on November 3, 2020, significantly amended the CCPA by imposing obligations on covered employers which would affect, among others, employees, human resources, independent contractors, applicants, and other types of workers (Covered Individuals) while imposing additional penalties intended to provide greater incentives to comply and hold businesses accountable for violating the law. The CPRA does not become operative until January 1, 2023, and requires employers to provide privacy notices, respond to requests of those exercising their data rights, limit use, and make disclosures of sensitive personal information.
While the CPRA will not become operative until January 1, 2023, enforcement will not commence until July 1, 2023, which provides businesses with a safe harbor to adjust their compliance in early 2023.
Employers, however, should begin to consider their compliance obligations, if required, given the CPRA contains a look-back provision that would require them to track their collection, use, and disclosure of personal information going back to January 1, 2022—12 months before the effective date of the CPRA. The CPRA imposes July 1, 2022, as the deadline for adopting final regulations, so the current CPRA may further be amended then.
Which Employers Will Be Affected?
The CPRA would apply to any for-profit entity doing business in California, regardless of whether the business is actually based in California, that collects consumers’ personal information (or on whose behalf such information is collected) and that alone, or jointly with others, determines the purpose and means of processing that information, and satisfies at least one of the following thresholds:
- As of January 1 of the calendar year, has annual gross revenues in excess of $25 million in the preceding calendar year,
- Alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households, or
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Businesses that do not meet these criteria could still be subject to the CPRA if they:
- Own or control a business defined by the CRPA or
- Share common branding with a business and with whom the business shares (or receives) consumers’ personal information.
The CPRA clarified that to qualify under the common branding category, the information from the covered business must be for cross-context behavioral advertising purposes.
What Data Rights Does the CPRA Create?
The CPRA adds two additional rights to the CCPA’s initial six data rights:
- The Right to Know,
- The Right to Delete,
- The Right to Opt-Out,
- The Right to Opt-In,
- The Right to Sue,
- The Right to Non-Discrimination,
- *The Right to Correct, and
- *The Right to Limit Use.
The CPRA further amended the six data rights afforded by the CCPA.
The Right to Know Categories and Specific Personal Information
Covered Individuals’ right to know (request disclosure) consists of:
- A category-based notice regarding their specific personal information that the business collects, sells, shares, or discloses, and
- A request for specific pieces of personal information collected.
Under the CPRA, a business must disclose any personal information it has collected about a Covered Individual who makes a verifiable request (i.e., data portability in an easily understandable format “without hindrance”) which includes direct or indirect collections and collections made through or by a service provider or contractor. The CPRA also removes the 12-month look-back limitation unless such disclosure is impossible or too burdensome in proportion to the effort involved, though this requirement does not apply to information collected prior to January 1, 2022. Employers may also refuse based on privileged materials or because requests are “manifestly unfounded or excessive, in particular because of their repetitive character.” Before responding to any verified data portability request, employers must remove “sensitive personal information” (further discussed below).
Employers should also be aware of employees’ rights to review or receive a copy of the personnel file relating to their employment, performance, or any grievances pursuant to California Labor Code § 1198.5. Further, employers should be aware of their obligation to maintain employees’ payroll records for at least three years in accordance with California Labor Code § 1174.
The Right to Delete Personal Information
Unless specifically allowed by the CPRA to retain personal information, employers must comply with any verified request to delete personal information. The right to delete is only limited to personal information that the employer has collected from the Covered Individual, as opposed to such information collected from others (i.e., background checks, references, performance evaluations, investigation reports, communications involving the Covered Individual).
The CPRA allows an employer to refuse such requests when:
- Deleting the information prevents the business from exercising its legal rights, such as needing to retain the information to defend against possible legal claims,
- Personal information is needed for employment purposes, such as for payroll, government data reporting, and health care,
- Complying with legal obligations such as needing to retain employment records for required data retention periods,
- Completing transactions using personal information to fulfill contractual obligations, or
- The retention of personal information is necessary to satisfy compliance requirements and litigation demands.
The CPRA also requires employers to notify their service providers or contractors to delete the Covered Individual’s personal information from their own records along with any third parties to whom they sold or shared such information unless impossible or disproportionately burdensome. Not only must service providers or contractors cooperate in responding to such verifiable requests they must also run through the same exercise downstream by notifying any of their service providers, contractors, or third parties of the Covered Individual’s right to delete personal information that has been collected, retained, or used.
The Right to Correct Inaccurate Personal Information
The CPRA requires employers to use commercially reasonable efforts to correct inaccurate personal information that a verified Covered Individual’s request identifies, given the potential subjectivity and materiality of such requests, depending on context.
While the CPRA might permit Covered Individuals to correct their personal address if they have moved, employers likely should deny any requests to make material changes regarding performance reviews or investigative findings, depending on the context.
The Right to Opt-Out of Sales or Sharing of Personal Information
The CPRA requires employers to provide Covered Individuals a right to opt-out if they sell or share personal information with third parties. The CPRA defines a sale as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…personal information…for monetary or other valuable consideration.” Most employers might not be affected by this given they generally do not sell or share their Covered Individuals’ personal information for monetary value.
Employers that do sell or share personal information, however, must ensure that they provide a conspicuous link on their internet homepage that allows Covered Individuals to opt-out of such sale or sharing. Further, employers must describe the sale or sharing and the right to opt-out in their privacy policy.
Right to Limit Use and Disclosure of Sensitive Personal Information.
The CPRA requires an employer to limit the use and disclosure of sensitive personal information that it collects or processes with the purpose of “inferring characteristics” about Covered Individuals. The CPRA defines “sensitive personal information” as personal information that reveals:
- Social security, driver’s license, state identification card, or passport numbers,
- Account log-in, financial account, debit card, or credit card numbers combined with any required security or access code, password, or credentials allowing access to an account,
- Precise geolocation,
- Racial or ethnic origin,
- Religious or philosophical beliefs,
- Union membership,
- Contents of physical mail, email, and text messages, unless the business is the intended recipient of the communications,
- Personal information collected and analyzed concerning a consumer’s health, sex life or sexual orientation, and
- Biometric information for the purposes of uniquely identifying a consumer.
Employers generally use personal information that may qualify as sensitive for its intended purposes (i.e., banking or Social Security cards for tax or wage purposes) rather than to “infer characteristics.” To infer such characteristics based on disability, race, religion or any other protected class would invariably lead to violations of discrimination laws.
The CPRA also allows Covered Individuals to restrict an employer’s use and disclosure of sensitive personal information to:
- Ensuring safety and integrity to a reasonably necessary and proportionate extent,
- Performing services or providing goods reasonably expected by an average consumer who requests such goods or services,
- Short-term transient use,
- Performing services on behalf of the business,
- Verifying or maintaining quality control, or
- Purposes otherwise authorized by the CPRA regulations.
Employers must ensure that they provide a conspicuous link on their internet homepage that allows Covered Individuals to limit an employer’s use of their sensitive personal information.
The Right to Non-Discrimination
The CPRA requires employers not to discriminate or retaliate against Covered Individuals for exercising their CPRA data rights. Adverse employment actions in response to any effort to exercise their rights could be considered retaliation.
What Types of Notices Are Employers Obligated to Provide?
In addition to the category-based notice discussed above regarding specific personal information that the business collects, sells, shares, or discloses, the CPRA requires employers to provide notice of the categories of personal information to be collected and the purposes for which such information will be used “at or before the point of collection” to consumers.
The CPRA also requires the content of the notices to include: (1) whether the information will be sold or shared; (2) the length of data retention, and (3) additional disclosures about the collection and use of “sensitive personal information.”
The CPRA also prohibits employers from retaining personal information or sensitive personal information for longer than is reasonably necessary for the purpose for which the data was collected. As noted above, employers in California have certain obligations to retain information (i.e., litigation holds, California Labor Code §§ 1174 and 1198.5, etc.). Despite this, the CPRA codifies the obligation for employers to establish clear data destruction policies and to discontinue the practice of retaining data indefinitely.
Is There a Private Right of Action for Certain Data Breaches?
The CPRA allows Covered Individuals to bring a private right of action, individually or on a class-wide basis, for unauthorized access and exfiltration, theft, or disclosure of non-encrypted and non-redacted personal information as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information, as defined by the CPRA. The CPRA expands the definition of personal information to include an email address in combination with a password or security question and answer that may permit access to a Covered Individual’s account. No showing of actual injury or harm is required to maintain these civil actions.
Covered Individuals may seek damages between $100.00 to $750.00 per California resident per incident or actual damages, whichever is greater, obtain injunctive relief or declaratory relief, or any other relief a court deems proper.
Further, statutory damages may be awarded if, prior to filing suit, an employer 1) receives a written notice of a specific CCPA violation from a Covered Individual and a 30-day cure period, and 2) does not or cannot cure the alleged violation and does not provide the Covered Individual with a written statement within the cure period that it has cured such violation and no further violation will occur. When a Covered Individual suffers actual monetary damages due to violations, however, there is no requirement to provide an employer with any notice prior to filing suit.
Lastly, implementing and maintaining reasonable security procedures and practices after a breach does not constitute a cure for that breach.
If you have any questions regarding this Alert, please contact the authors, David L. Cheng, partner in our Los Angeles office at dcheng@fordharrison.com, and Paul M. Suh, associate in our Los Angeles office at psuh@fordharrison.com. Of course, you can also contact the FordHarrison attorney with whom you usually work.