New Technology World

The California Privacy Rights Act (“CPRA”) becomes effective January 1, 2023, amending and expanding the privacy rights under the California Consumer Privacy Act (“CCPA”). Assuming no further applicable extensions or amendments are passed, the CPRA will eliminate CCPA exemptions that apply to employee data and companies subject to the CPRA will comply with their obligations regarding the processing of employee data. is needed.

What is the current status under CCPA?

The CCPA currently regulates employment-related personal information when personal information is collected and used only in connection with an individual’s role as an employee or job applicant, dependent, beneficiary, independent contractor or owner. We provide employers with limited exemptions for Specifically, the CCPA does not extend certain consumer rights to employees, including the right to access or delete personal information. Note, however, that CCPA does not provide blanket exemptions for employment-related data. Employers must adequately protect the personal information they collect and provide notice of processing (at or before the time of personal information collection). applicable individual.

What are the new obligations and rights related to employee data under the CPRA?

(1) Employers must prepare a privacy notice and provide it to employees and/or job applicants at the time or prior to the collection of personal information.

• This notice must include: Categories of sensitive personal information(b) that sensitive personal information is sell or share (c) length of time The employer intends to keep each category of sensitive personal information.

• If an employer authorizes a third party to collect personal information on behalf of the CPRA, the CPRA requires the third party collector to provide notice at the time of collection.

• In addition to providing notice, including consumer rights, who is collecting data, and how and for what purpose such data is being collected, sold, used, or shared, employers must ensure that their You must also include all third party categories that you disclose. or permit the collection of consumer personal information.

(2) Employers must honor consumer requests unless exemptions can be relied upon. For example, the right to erasure, the right to know, the right to rectification, the right to access, data portability, the right to non-discrimination, the right to restrict the use and disclosure of sensitive personal information, and the right to choose. From both selling and sharing personal information.

(3) Companies should protect personal information from unauthorized disclosure and provide employees with the right to limit the use and disclosure of confidential information.

(Four) Finally, companies must enter into data processing agreements (“DPAs”) with their vendors (service providers, contractors, or other third parties that have access to personal information). This requirement applies regardless of the type of personal information processed (i.e. employment-related or otherwise). The DPA must also include provisions for:

• Identify limited specific Business purposes and services for which the vendor processes personal information as set out in the contract.

• Retention, use, or disclosure of personal information other than for the purposes specified in the contract is prohibited.

• You are prohibited from retaining, using, or disclosing personal information received for commercial purposes other than those specified in the contract.

• Prohibit retention, use, or disclosure of personal information outside of the direct relationship between the vendor and business When Do not retain, use, or disclose personal information for any purpose other than the business purpose specified in the contact.

• We require that vendors comply with their applicable obligations under the CPRA and provide the same level of privacy protection that is required.

• Businesses must be notified when a vendor fails to comply with its obligations under the CPRA.

• We grant companies the right to take reasonable and appropriate steps to ensure that vendors use personal information in a manner consistent with the company’s obligations under the CPRA.

• We give companies the right to take reasonable and appropriate steps to stop and remedy any unauthorized use of your personal information.

• Notify you of any consumer requests made pursuant to the CCPA with which the service provider or contractor must comply, and require businesses to provide information necessary for the service provider or contractor to comply with the request.

In addition to the above requirements, the business must include the following provisions:

• We prohibit the sale and sharing of personal information.

• Require notice of any sub-processors involved and require them to be contractually bound to the same processing obligations.

Businesses are also required to conduct due diligence assessments, such as audits, on their vendors to ensure they can process personal information in compliance with the CPRA.

What should employers do to prepare for CPRA?

• Understand the employment-related personal information your business processes by conducting a data inventory/data mapping exercise.

• Understand the rights and exceptions offered to California consumers and the business requirements under each consumer’s rights under the CPRA.

• Make sure your business provides notice to employees and others at or before collecting personal information, and that the notice meets CPRA requirements.

• Ensure that all vendors have a DPA in place, including those that process employment-related personal information.

• Consider developing a privacy impact and cybersecurity assessment program to understand and fix gaps in privacy and security compliance.

© Polsinelli PC, Polsinelli LLP of CaliforniaNational Law Review, Vol. XII, No. 242