Many thanks to our data privacy colleagues for co-authoring this post: Lothar Determann, Helena Engfeldt and Jonathan Tam.
2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023, with a twelve-month look-back that also applies to the personal data of employees and business contacts. The new California Privacy Protection Agency is preparing regulations that will sit on top of existing rules from the California Attorney General. Meanwhile, the California Legislature is enacting privacy laws even though it has not repealed or streamlined any of the myriad California privacy laws that continue to apply in addition to the California Consumer Privacy Act (CCPA).
On March 1, we held a webinar focused on the employment law implications stemming from these significant changes and covering a handful of critical hot topics (e.g., how to process vaccination information, the treatment of employees of PEOs, and EORs). If you missed it, here are the major highlights you should know!
Preparing for CCPA / CPRA Compliance
- CPRA amendments to CCPA take effect January 1, 2023; this ends the transitional exemptions for “HR” and “B2B contact information” and includes a 12-month look-back to January 1, 2022.
- “At collection notices” have been required since January 1, 2020, with increased disclosure requirements since December 16, 2020. For more detail, click here.
- Businesses must declare on January 1, 2023, in privacy policies whether they have been selling or sharing personal information of employees and B2B contacts in the preceding 12 months and, if yes, offer opt-out mechanisms and alternatives without discrimination.
- Businesses must update service provider agreements, including with recruiters and IT, cloud, payroll, benefits, and other providers.
- Businesses must offer broad access, deletion, rectification, portability and other rights to California employees and B2B contacts, and prepare for what may be the end of confidentiality in the employment area; employers should conduct training, and implement robust data governance policies (incl. deletion and discovery).
Data Access / Deletion Requests from Employees
- Under existing employment law, California employees (not contractors) have the right to inspect and receive a copy of the personnel files and records that relate to their performance or any grievance concerning them within 30 days of their written request. The existing right to inspect does not extend to records relating to the investigation of a possible crime, letters of reference, or various ratings or reports.
- By contrast, the new “right to know” under the CPRA/CCPA goes further. It encompasses two distinct rights: (i) the right to a disclosure explaining how the employer collects and handles the individual’s personal information; and (ii) the right to copies of “specific pieces of personal information.” The “right to know” applies to California consumers, which goes beyond employees (i.e., including contractors). In theory, it could extend the scope of the “right to know” from simply the personnel file to include, for example, informal communications about the employee, investigations, etc. Employers must generally comply with such requests within 45 days.
- The “right to know,” however, is not absolute, and employers can refuse if the request is manifestly unfounded or excessive (e.g., if the purpose is to harass) and does not cover privileged information (e.g., communications with in-house and external counsel).
- The CPRA/CCPA also introduce a new right to “data deletion.” This right is not absolute either. An exception should apply for most categories of personal information reasonably necessary to managing or administering current or past employment or contract work relationship.
- Finally, the CPRA/CCPA gives California residents other rights including the right to limit the processing of sensitive information. There are exceptions to the right to limit the processing of sensitive information, but none of the statutory exceptions apply squarely to HR data.
Record Retention / Deletion
- Current record retention requirements:
- Employers must retain personnel records for applicants and employees for 4 years from the date the records were created or received, or the date the employment action was taken (previously 2 years).
- Employers must maintain a copy of each employee’s personnel records for at least 3 years after termination of employment.
- Employers must maintain payroll records, job classification, and other terms and conditions of employment for a period of no less than 3 years after the creation.
- Record retention requirements can be longer in some instances (e.g., work-related injuries and illness, records of employee exposure to hazards, litigation, etc.).
- Current record deletion requirements:
- California employment law does not specify any requirements regarding the destruction of records.
- Privacy laws, however, require that personal information not be kept longer than necessary or as required by law.
- CPRA provides that “a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal. information was collected for longer than is reasonably necessary for that disclosed purpose.”
Processing of Vaccination and other Health Information
- Federal law and California state law generally allow employers to require employees to provide proof of vaccination as a condition to accessing the office, subject to certain conditions.
- Employers should avoid collecting medical/disability information when collecting the vaccination data, which could trigger additional requirements under the Americans with Disabilities Act and/or the Genetic Information Nondiscrimination Act. They should provide clear instructions on the acceptable forms of proof of vaccination and instruct employees not to provide any medical information (or information of a family member).
- Standard methods to collect this data include email or third-party applications. Employers should have data security and strict access protocols, including with service providers. It is generally recommended (and even sometimes required) for employers to implement clear privacy notices.
- Health information is often considered special or sensitive personal information that requires consent or authorization (notably, California’s Confidentiality of Medical Information Act lacks an exemption for using medical information to comply with law).
- Employees should store the data locally in a confidential medical file separate from the employee’s personnel file, with limited access.
Treatment of Contractors and Employees of PEOs / EORs
- Although the type of engagement (e.g., direct employment, dual employment, independent contractor, indirect employment through an agency) is relevant to the applicability of employment laws (e.g., right to access personnel file), this distinction matters less under the CPRA/CCPA, which applies to companies collecting the data of California consumers.
- Even as a mere recipient of services, a company could be subject to specific privacy requirements under CPRA/CCPA.
For assistance meeting your data privacy obligations as a California employer, please reach out to a member of our team.