CPRA Countdown: What employers need to know about the CPRA's potential impact on litigation - This is the eighth installment in our series on the California Privacy Rights Act, which takes effect January 1, 2023.

W. James Denvil, Jay Ettinger, Vassi Iliadis, Tao Leung
Hogan Lovells
Contact
LinkedIn
Facebook
X
Send
Embed

Hogan Lovells

To date, employee data has been largely exempt from the requirements of the California Consumer Privacy Act of 2018 (CCPA). However, effective  January 1, 2023, the Consumer Privacy Rights Act (CPRA), will remove the exemptions applicable to the processing of personal information in employment contexts. The CPRA’s proposed expansion would make California the first state to enact a comprehensive data privacy law covering employment-related personal information, creating notable litigation risks for employers.

Employees’ Rights Under the CPRA

The CPRA will provide employees, job applicants, contractors, and former employees with rights to request access to, correction of, or deletion of their personal information (subject to certain exceptions). Personal information is broadly defined to include information that identifies, relates to, or could reasonably be linked with a person or their household. And such individuals will be able to exercise their rights to opt-out of the “sale” or “sharing” of their personal information, as those terms are defined in the statute. 

The right to request access to personal information provides personnel with the right to request explanations from businesses about how their employment-related personal information is collected and handled, as well as the right to request  the “specific pieces of personal information” that businesses have collected about them. The California Privacy Protection Agency (CPPA) is tasked with defining “specific pieces of personal information” under its regulations, but it has not yet done so. However, it seems likely that the term will be interpreted to go well beyond the copies of personnel records that employees currently have the right to access under California Labor Code § 1198.5. 

In anticipation of the new access right, which applies to information collected on or after January 1, 2022, employers subject to CPRA should begin taking inventory of their collection, use, and disclosure of human resources/personnel data.

Litigation Impact

One of the significant litigation risks of the CPRA’s expansion of employee rights is associated with the right to access “specific pieces of personal information” that employers collect. In particular, plaintiffs may leverage this right as a pre-litigation discovery tool to obtain a wide range of employment-related records. For instance,  individuals may attempt to seek from their employers any document referencing themselves, including interview notes, performance evaluations, or internal investigation materials. If the CPPA adopts a broad interpretation of the CPRA’s reach, compliance would likely be quite costly and could expose businesses to heightened employment litigation risks.

A useful illustration of this risk can be found by looking across the Atlantic to see how businesses in the United Kingdom have been impacted by similar employee data rights, first established through the Data Protection Act of 1998, then expanded in the General Data Protection Regulation. Under both frameworks, U.K. residents have a right to obtain a copy of their personal data from employers through a Data Subject Access Request (DSAR). U.K. data subjects tactically used DSARs as a tool to obtain documents prior to litigation and/or as a form of accelerated disclosure ahead of court timelines. And in Dawson-Damer v. Taylor Wessing LLP, the English Court of Appeal held that companies must comply with DSARs even when the data subject’s real motive is to use the personal data to assist in litigation, as long as the DSAR did not require “disproportionate effort.”

Because California employees and candidates may use the CPRA’s right to access as a form of pre-litigation discovery, businesses subject to the CPRA should begin preparing for employee and candidate requests for information by doing the following:

  • Taking inventory of the employment-related data they collect, including documentation of the sources of personal information and the entities to which the information is disclosed;
  • Strategically assessing their data retention policies with the risk of disclosure in mind; and
  • Assessing the extent to which certain records will be exempt from access requests, such as by being subject to the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), or other statutes subject to CPRA carve outs, or by being subject to other CPRA exemptions, such as being information that would adversely impact the rights of others if disclosed.

Moreover, employers should consider engaging with the CPPA when it takes up employment-related regulations to help shape the regulatory framework for employment-related data.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide