California Consumer Privacy Act: Employee and B2B Exemption Expires January 1, 2023 – Press Release | So Good News

The California Consumer Privacy Act (CCPA) provisions for business-to-business (B2B) employers have not been extended, leaving the privacy practices of California businesses in disarray. Employers in California must prepare to provide a list of new privacy rights to employees beginning January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.

California is currently on track to become the first state to grant privacy rights to workers. In addition, the new privacy rights will apply to personal information collected in the context of a business “providing or receiving a product or service to or from” another business.

Two bills had been introduced in the California Legislature that would have extended or extended the B2B employer exemption, but neither bill was enacted when the legislative session ended on August 31, 2022. Given that the legislature does not reconvene until January 1, 2023, it is now unlikely that the employee and B2B should be increased before the date of January 1 next.

The CCPA currently places limited liability on employers with regard to employee data if they qualify as “businesses” under the law. The CCPA applies to the information of “consumers,” but defines that term broadly to include employees, applicants, officers, directors, and independent contractors. Employers in California are currently required to provide consumer group privacy notices that describe the type of employee data collected and the purposes for which the collection is made.

New Employee Privacy Rights

Employers must update the CCPA privacy notice provided to California employees to describe and explain how employees can submit requests under the following privacy rights, effective January 1.

Right to Know

Under the CPRA, employees will have the right to access the personal information that a business collects about them. Most employers in California are required to have other policies that comply with the right to know, but the compatibility between the CPRA and existing laws in California must be evaluated. For example, under the California Labor Code, employees already have the right to access information collected by their employers, such as pay records (Cal. Labor Code § 226), signed documents (Labor Code § 432), and employment files (Labor Code § 1198.5).

The CPRA appears to grant workers the right to information about certain categories of information that are not covered by the Labor Code, such as geolocation, biometrics, and the Internet. The CPRA will also require response times that differ from those in the Labor Code (10 working days to confirm receipt of a request and 45 calendar days to respond).

Right of Withdrawal

The CPRA gives employees the right to delete personal information collected from them, subject to exceptions. For example, the CPRA provides an exception to the right to withdraw “pursuant to the law.” Employers will need to review federal, state, and local requirements in response to a CPRA waiver request, including, but not limited to, the Americans with Disabilities Act, the Family Medical Leave Act, the Age Discrimination in Employment Act, and the Fair Labor Standards Act. .

Right to Withhold Sale or Share

The CPRA gives employees the right to opt out of selling or sharing their personal information. Although most employers do not “sell” employee data as the term implies, the CPRA’s definition of “sale” is very broad and may include disclosing employee information to a vendor, such as a payroll company, without falling within the purview of the CPRA. supplier and seller contract. “Sharing” means sharing with a third party in a variety of advertisements.

Right to Opt Out of Decision Making Technology

The CPRA gives consumers, including employees, the right to opt out of a business using “decision-making technology,” which includes profiling employees based on their “jobs, financial status, health, preferences, interests, reliability.” , behavior, location or behavior.”

This right is not defined by the California Privacy Protection Agency (Agency), which is responsible for enforcing related laws.

Right to Correct Personal Errors

The CPRA creates a new right to correct inaccurate personal information, which can be passed on to employees. An employer must use “commercially reasonable measures” to correct false personal information upon request, but this right is not clearly defined in the agency’s policy.

The Right to Limit the Use and Disclosure of Personal Information

The CPRA also gives employees new rights to limit the use and disclosure of “personal information,” which is defined to include (1) accurate location data, (2) race or ethnicity, (3) union membership, (4) employee email content. others are text messages, and (5) biometric information.

However, this right only applies to the use of a third party’s personal information and not to what is “expected” by the consumer/employee. The collection of personally identifiable information by employers, such as race or ethnicity, for various and aggregate purposes may be permitted.

How Employers Can Prepare for January 1st

In addition to updating the CCPA’s employee privacy notice to provide the new rights listed above, employers must do so in preparation for the January 1, 2023, CPRA date.

Set Data Inventory Variables

An employer must review the employee and applicant personal information it collects to ensure that its privacy policy clearly defines the categories of personal information collected, used, and disclosed by the employer and identifies “personal information” that is subject to the new CPRA. right. Auditing is also an important tool to ensure that employers respond effectively to right-to-know, expungement, and other requests for CPRA rights.

Enter into Data Processing Agreements with Service Providers

Employers who share employee information with service providers must enter into data processing agreements that contain certain important terms. Not only is the content required, but without the agreement provided by the service provider, regular broadcasts to retailers can be considered “sales” triggering the right to opt-out.

Understanding the New Employment Rights and Exemptions

An employer must, before receiving its first employee privacy request after January 1, 2023, review its definitions of various types of business rights, some of which are described above, and determine how to respond to requests based on those definitions. .

Review Existing Employee Privacy Statements

Employers should review existing employee policies and procedures in line with the CPRA. For example, employee monitoring programs must be reviewed to determine whether they meet the CPRA’s standard that the collection, use, storage, and sharing of consumer personal information “be necessary and proportionate to accomplish the purposes for which it was collected or processed.”

Don’t Forget About B2B

Although it is important for the end of the exemption of employees, the same release of personal information of B2B is also ending, as of January 1, 2023. As a general matter, the personal information that the business collects about those who are in contact with the business will be the same. The CPRA privacy rights are those described above in relation to an employee’s personal information.

Employers can take some comfort in knowing that new CPRA requirements, such as those that apply to personal data, will not be enforced until July 1, 2023. The CPRA regulations that the agency is currently drafting.

For more information on the CCPA, CPRA, and other data privacy laws, visit our US Consumer Privacy Act page.