The CPRA Grants Novel Data Rights to Employees. Are You Getting Ready?

The California Privacy Rights Act (CPRA), which goes into effect on January 1, 2023, was enacted to offer more robust protections to California consumers – but California workers have been granted novel privacy rights under the CPRA too. Here’s what you need to know:

Who is Covered by the CPRA?

The protections offered under CPRA extend to California residents whose personal information is collected as a function of their work. This includes employees, independent contractors, and job applicants (California workers). Any employer who meets the general CPRA thresholds will be required to comply with the new obligations relating to employee data (Covered employers).

Data Rights for California Workers

The rights to know, correct and delete personal information, which have become a common feature of consumer-focused privacy laws in the U.S. and abroad, are extended through the CPRA to California workers, giving workers novel rights of control over the personal information held by employers and third parties acting on behalf of an employer.

California workers are also given the right to opt out of the sale and/or sharing of their personal information. They are further able to limit the use of their sensitive personal information.

Employers are not permitted to retaliate against California workers who choose to exercise their rights under CPRA.

Practical Implications of the CPRA’s Data Rights for California Workers

In practice, we expect the right to know to be the most burdensome to employers. While California workers are granted the right to delete personal information, the reality is that laws which require employers to retain HR records for certain periods or which allow employers to retain documents and data that would aid their defense in an employment law claim curtail the rights granted to California workers under the CPRA. Similarly, the phrasing of the right to correct personal information in the CPRA limits this right to objectively false information. This category would include information such as an outdated address. Subjective information, such as a supervisor’s opinion contained in an employment record, is not required to be changed under the CPRA.

If presented with a request from a California worker exercising his or her right to know, employers must provide the following details:

• Categories of personal information it has collected about the California worker.
• Categories of sources from which the personal information is collected.
• The business or commercial purpose for collecting, selling, or sharing personal information.
• Categories of third parties to whom the employer discloses personal information.
• Categories of personal information sold or shared and categories of third parties to whom the personal information was sold or shared, if any.
• Categories of personal information disclosed by the employer about the California worker for a business purpose and the categories of persons to whom it was disclosed.

Action Items for Covered Employers of California Workers

To prepare for the expanded rights coming into effect in 2023, employers should:

• Create a privacy policy that contemplates the rights of California workers.
• Map data flows, including the collection, use, storage, transfer, and deletion of the personal information of California workers.
• Develop processes for California workers to request information.
• Develop an internal framework to respond to these requests.
• Train relevant employees on the handling of personal information, including the personal information of California workers.

For assistance developing your privacy policies and internal processes, get in touch. We’re here to help!

• Privacy
• Weekly Briefs