In less than two months, on January 1, 2023, the California Consumer Privacy Act (CCPA) as revised by the California Privacy Rights Act (CPRA) will take effect fully in the job applicant and employment context.

And with respect to job applicants and personnel, businesses subject to the CCPA will be required to (i) issue further revised privacy notices, (ii) be ready to respond to data subject requests, (iii) have determined if they sell or share for cross context behavioral advertising personal information about them, and (iv) have determined if they use or disclose sensitive personal information about them outside of specific purposes. If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. See also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Here are some key recommendations on what employers should do now:

1. Review contracts with parties to whom you disclose personal information about applicants and personnel. The CCPA prescribes certain types of clauses that have to appear in agreements between parties exchanging personal information, and you will have to include certain data processing clauses if you do not want to be considered to be “selling” (which the CCPA defines to mean disclosing in exchange for monetary or valuable consideration) or “sharing” (which the CCPA defines to mean disclosing for the purposes of cross-context behavioral advertising) personal information and offer related opt-out processes. It is not practical for employers to offer opt-out rights in most scenarios, due to the CCPA’s non -discrimination requirements. The CCPA regulations, which are currently being revised by the California Privacy Protection Agency (latest draft as of this publication is available here), include additional requirements. Businesses should continue to update such contracts with parties it discloses personal information to.

2. Prepare/revise notices at collection and include HR data in your online CCPA Privacy Policy. At collection notices in the employment context have been required under the CCPA since 2020, but new specific disclosure requirements apply from January 1, 2023. Your comprehensive online CCPA privacy policy will also have to reflect your processing of HR data. You should consider updating/preparing a privacy notice at collection that is specific to the CCPA and separate from any privacy notice you might use to address privacy laws in other jurisdictions, since California laws establish increasingly unique requirements and use unique terms that may be difficult to reconcile with those of other jurisdictions (from January 1, 2023, businesses must use specific terms from the CCPA to describe categories of personal information in all notices at collection). At the same time, you have to be mindful of setting or negating privacy expectations. If you issue privacy notices to job applicants and personnel that merely address CCPA disclosure requirements, the recipients of such notices may develop privacy expectations that could later hinder you in conducting investigations or deploying monitoring technologies intended to protect data security, co-workers, trade secrets and compliance objectives.

Continue Reading California Privacy Law Action Items for Employers

Effective January 1, 2023, California employers must continue to provide notification to employees of COVID-19 exposure in the workplace through 2023, but will be able to satisfy the notification obligation by displaying a notice in the workplace. On September 29, Governor Gavin Newsom signed AB 2693 into law, revising and extending the existing obligation for

It is official.  California has joined Colorado, Washington and New York City in requiring job posting to include pay ranges. Today (September 27, 2022), Governor Newsom signed SB 1162 into law, requiring California employers with 15 or more employees to include the salary or hourly wage range of positions in job listings. SB 1162 also

California employers will need to review and confirm their employees’ exempt status and non-exempt hourly wage rates before the start of the new year because of an unusual change in the statewide minimum wage applicable to all California employees.

On July 27, 2022, the California Director of the Finance Department sent a letter to Governor

The U.S. Supreme Court just handed employers a huge win in the continuing war over California’s Private Attorneys General Act (PAGA), a bounty-hunter statute that deputizes employees to sue on behalf of the state. In yesterday’s Viking River Cruises, Inc. v. Moriana, decision, the Supreme Court held that employers may compel employees to arbitrate

The Supreme Court of California has just resolved a long-standing debate over whether employees may recover additional statutory penalties if employers do not include unpaid premium payments for meal period and rest break violations (commonly referred to as “break penalties”) on employee paystubs, or include such premium payments with an employee’s final wages due immediately

On April 1, a state court judge in Los Angeles ruled that the California law (AB 979) mandating publicly traded companies include people from underrepresented communities on their boards violates the California Constitution. We initially reported on AB 979 here, noting that it was the first law of its kind in the US and was the second time California sought to mandate diversification of public company boards through legislation. In 2018, the first piece of California legislation (SB 826) aimed at increasing gender diversity; in 2020, AB 979 sought to increase diversity from underrepresented communities.

AB 979

The 2020 law requires publicly held corporations headquartered in California to include at least one person on their boards from an underrepresented community by the end of last year, with additional appointments required in future years. People from underrepresented communities are defined as anyone who self-identifies as Black, African American, Hispanic, Latino, Asian, Pacific Islander, Native American, Native Hawaiian or Alaska Native, or who self-identifies as gay, lesbian, bisexual or transgender.

Under AB 979, the California Secretary of State must report annually on companies’ compliance with the law and may impose fines of $100,000 for an initial violation and $300,000 for each subsequent violation.

Continue Reading California’s Board Diversity Law Struck Down in State Court, But Movement for Inclusion and Diversity on Boards Persists

As the Omicron wave recedes, a raft of states have announced plans to lift their mask mandates.

In the past few days alone, California, Connecticut, Delaware, Illinois, Massachusetts, Nevada, New Jersey, New York, Oregon, and Rhode Island have announced changes to their face covering rules. And if the number of Omicron cases continues to dwindle

Special thanks to Lothar Determann, Helena Engfeldt, Jonathan Tam, Andrea Tovar, and Vivian Tse.

2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023 with a twelve-month look-back that also applies to the personal

Many thanks to Lothar Determann and Jonathan Tam for this post.

Some of your job applicants and employees in California may be alarmed if you tell them you sell their personal information. But you will have to say you sell their personal information if you disclose their personal information to third parties after January 1, 2022 without including certain data processing clauses in your contracts, as required by the California Consumer Privacy Act (CCPA). So we recommend reviewing these contracts to ensure they include the prescribed clauses if you wish to avoid being a “seller” of personal information.

You should also get ready to field data access, deletion, correction, portability and other requests from your employees and other personnel in California starting January 1, 2023. This will require implementing new protocols and training up your human resources and compliance teams. We also recommend tightening up your data retention and deletion protocols to limit the amount of information you have to review when handling data subject requests.

Do you use employee monitoring software or algorithms to help you evaluate job applicants? You should ensure that your use of these and similar tools address upcoming requirements regarding automated decision-making, risk assessments and the use of sensitive personal information. Note that the CCPA also currently requires employers to issue privacy notices to their California employees pursuant to a California Privacy Rights Act (CPRA) amendment that took effect on December 16, 2020.

There is an HR exception under the CCPA but it is not comprehensive and expires January 1, 2023. When the CCPA originally passed in 2018, it included a limited, temporary carve-out for personal information of job applicants, employees, independent contractors and other personnel, who only needed to receive a brief “notice at collection.” The CPRA extended the limited carve-out until January 1, 2023 and immediately expanded the list of disclosures that employers have to provide to employees and candidates at or before the time of collecting their personal information.[1] Such “notices at collection” must include details about the types of personal information collected, the purposes for which the information is collected, and how long the personal information is retained or the criteria for determining the same. The California Attorney General’s CCPA Regulations also require notices at collection to indicate whether the business sells California residents’ personal information and a notice of the their right to opt-out of sales if so, and a link to the business’s privacy policy.[2] You should begin to address these requirements immediately if you have not done so already.

Continue Reading Employers Must Prepare Now For New California Employee Privacy Rights