This is the third in a series of articles about the implications of the California Privacy Rights Act for employers.
On January 1, 2023, the California Privacy Rights Act (CPRA) will go into effect and California employers will be required to develop a compliance model to address the range of new privacy rights granted to their workforce members under the law. In our previous articles we covered the data rights that workforce members will be able to exercise under the CPRA over the human resources (HR) data collected by employers.1 This article addresses the right that workforce members will have to receive a privacy notice, or “notice at collection,” which explains how the employer will use, disclose, and retain personal information collected by the company. The notice at collection is the first, and perhaps most integral, piece of a company’s CPRA compliance program.
The notice at collection compliance obligation will likely sound familiar to employers that are compliant with the CPRA’s predecessor, the California Consumer Privacy Act (CCPA), which imposed a similar requirement upon employers. The content of the notice required under the CPRA, however, bears limited resemblance to that distributed by employers to comply with the CCPA. The CPRA’s enhanced notice requirements will necessitate employers’ drafting a more comprehensive, detailed document that will likely require the input of stakeholders throughout an employer’s enterprise. This article breaks down these content requirements and provides an overview of the information employers will need to gather in order to craft the notice. As in-house legal departments undertake the process of outlining and budgeting for their 2022 compliance projects, the preparation of a CPRA notice at collection should be high on the list of priorities.
Required Content of the New “Notice at Collection”
Under the CCPA, California employers are required to distribute a notice to their workforce members—at or before the point of collection of personal information—that explains: (1) the categories of personal information to be collected by the company; and (2) the purposes of use for each category. If a category of personal information collected by an employer is used for a purpose not identified in the notice at collection, a new notice must be distributed. The CPRA significantly enhances the content requirements of the notice at collection. In addition to explaining the categories of personal information to be collected by the company and the purposes for which the information is collected or used, employers must also provide notice of the following:
Collection of “Sensitive Personal Information”
Perhaps the most noteworthy content requirement is that the employer disclose each of the categories of “sensitive personal information” that it collects from the workforce member. While the CPRA includes a key caveat to this requirement that impacts the manner in which the information must be delineated within the notice, compliance with the CPRA will require California employers to inform their workforce members about the collection of categories of personal information that, up until now, employers may not have needed to formally disclose.
The CPRA’s definition of sensitive personal information encompasses a number of categories of personal information that employers generally treat as confidential information. This includes Social Security numbers; driver’s license, state identification card, and passport numbers; log-in details to a financial account or debit or credit card numbers (inclusive of the credentials needed to access the account or card); genetic data; and information about a workforce member’s health. Employers typically treat this information as sensitive because it is high-risk data—if the information were obtained by an unauthorized third party it could trigger data breach notification obligations for the employer in a majority of states. However, the CPRA defines sensitive personal information to include categories of personal information that are commonly collected by employers and often widely shared within a company. These include:
- Personal information that reveals a workforce member’s racial or ethnic origin;
- Personal information that reveals a workforce member’s religious or philosophical beliefs;
- Personal information that reveals a workforce member’s union membership;
- Personal information that reveals a workforce member’s precise geolocation;
- Information “collected and analyzed” concerning a workforce member’s health, sex life or sexual orientation;
- The contents of a workforce member’s mail, email, and text messages unless the business is the intended recipient of the communication.
For multinational employers required to comply with the European Union’s General Data Protection Regulation (GDPR), the list above will no doubt appear familiar. That is because these elements of the CPRA’s definition of sensitive personal information mirror the GDPR’s definition of sensitive personal data. For U.S.-only employers, however, the list above may understandably give them pause.
As previously mentioned, there is an important caveat to this disclosure requirement. The CPRA does not require an employer to present the categories of personal information listed above as “sensitive personal information” within their notice at collection unless the information is collected or processed for the purpose of “inferring characteristics” about the workforce member.2 If the information is not collected and used by the employer for the purpose of drawing inferences about workforce members, it can be listed as personal information in the notice at collection within the other categories of personal information collected by the employer. This may seem like a technical distinction, but it is not. Having to indicate in a notice to workforce members that the company collects “sensitive personal information” that includes information about their health, sexual orientation or religious beliefs could, at a minimum, lead to questions being asked. Allowing employers to blend these categories of information within a list of myriad categories of personal information collected by the company could enable employers to avoid this employee-relations issue, and only have to list those categories of information that are generally deemed to be “sensitive,” such as Social Security and driver’s license numbers.
The final regulations interpreting the CPRA, which the California Attorney General is required to issue by July 1, 2022, may shine additional light on the disclosure requirements for sensitive personal information. Until then, employers should audit the categories of sensitive personal information that they collect with an eye toward determining those categories that will need to be disclosed as such within their CPRA notice at collection.
The notice at collection must also provide information about the retention period that applies to the data the employer collects from its workforce members. Thankfully, the CPRA does not require employers to provide specific retention periods for each piece of personal data collected from workforce members. The CPRA allows employers to explain the “criteria used to determine that period,” thus giving employers some latitude in the way in which they go about satisfying this requirement.
Like the requirement to disclose the collection of sensitive personal information separately within the notice at collection, the CPRA requires employers to detail separately information about the retention period for the sensitive personal information collected by the employer. However, as discussed above, this obligation applies only to sensitive personal information that is collected or processed for the purpose of “inferring characteristics” about workforce members.
Employers that have comprehensive corporate retention schedules in place will have the benefit of being able to leverage those schedules to draft this portion of the notice. For employers that do not have retention schedules that govern all personal data collected from their workforce members, the CPRA’s retention schedule requirement necessitates the employer develop retention period criteria. Notably, the CPRA limits the retention period that employers can impose. The CPRA prevents an employer from selecting a retention period that is longer than that which is reasonably necessary to fulfill the employer’s disclosed purpose of use for personal information.
Sale or “Sharing” of Personal Information
The requirement that employers disclose whether they have sold personal information can generally be satisfied with a disclosure that personal information is not sold or shared with any third parties. Although the CPRA broadly defines “sale” to include “selling, renting, releasing, disclosing, disseminating, making available, transferring … personal information by the business to a third party for monetary or other valuable consideration,”3 most employers do not share data with third parties in return for a payment or some other form of “valuable consideration” to the employer. Employers that do receive consideration from third parties in return for the transfer or disclosure of personal information will need to comply with this requirement.
Employers will not, however, need to disclose that personal information collected from workforce members is “shared.” That is because the CPRA defines “sharing” as a disclosure of personal information “for cross-context behavioral advertising,” which would not apply in relation to the processing of HR data.
Steps for Drafting the Notice at Collection
The sheer amount of information that employers will need to disclose within their notice at collection necessitates that employers take steps now in order to begin the process of compiling their notice. Here are key initial steps:
- Perform Data Mapping: Employers first gather information on the categories of personal information and sensitive personal information collected from each category of workforce member (i.e., applicants, employees, independent contractors), the sources of collection, and the third parties to whom employee personal data is disclosed.
- Obtain Copies of Corporate Retention Schedules Applicable to HR Data: As employers well know, the creation of a retention schedule can be an arduous undertaking and one that can benefit from a cross-enterprise approach. Employers therefore should not try and “reinvent the wheel” and overlook any existing corporate retention schedules that apply to their HR data. At a minimum, these policies may be a good starting point for employers to determine the retention schedule applicable to many of the categories of personal data they collect.
- Assess Data Transfers to Third Parties to Determine Whether They Constitute a Sale: While most employers will be able to state within their notice at collection that they do not sell personal information, the CPRA’s broad definition of “sale” may ensnare some employers. Employers should therefore ensure that their data mapping process includes an identification of any third parties that may provide some form of consideration in exchange for the receipt of the employer’s HR data.
- Prepare for the Regs: The final regulations interpreting the CPRA will be issued by July 1, 2022. The regulations may provide additional insight into the requirements for the notice at collection; however, the regulations could also impose additional obligations on employers. The more information employers can gather now about their data collection activities the better prepared they will be to comply with the CPRA’s final requirements for the notice at collection.