The Beach Boys may have popularized the notion that the “good sun shines every day” in California, but when it comes to the state’s laws, there are generally some grey areas to cast a cloud. Case in point: When the state’s extension of its existing privacy law takes effect on Jan. 1, 2023 – providing new privacy rights to employees – there will be several grey areas for employers to see their way through.

California’s stance on privacy has been considered the U.S. equivalent to the EU and its groundbreaking General Data Protection Regulation (GDPR), referred to as the world’s strictest privacy law. The United States’ first comprehensive privacy legislation – the California Consumer Privacy Act (CCPA) – took effect at the beginning of 2020, after which privacy advocates almost immediately went to work to pass an extension of the law. The extension – the California Privacy Rights Act (CPRA) – passed in November of that same year and will take effect on Jan. 1, 2023.

Much of the focus on CPRA has been on the new or modified rights provided to consumers, and only now has the focus shifted to the complementary – and sometimes similar – rights CPRA provides to employees, as well as contractors and even job applicants. The six new employee rights are:

• Right to know
• Right to correction
• Right to deletion
• Right to opt-out of sale or share
• Right to limit use and disclosure of sensitive personal information (SPI)
• Right not to be retaliated against for exercising these rights

New Rights, New Obligations

To comply with these new rights, organizations subject to CPRA are required to:

• Inform their employees, contractors and job applicants how they handle their personal data, typically by providing a privacy notice or policy before collecting any personal information.
• Process DSRs for employees and eligible individuals covered under the law.
• Enter into a data processing agreement (DPA) with any third-party vendors, service providers or contractors that have access to the data of employees and covered subjects.
• Implement strict security procedures to protect users’ personal information against unauthorized disclosures, and provide employees with the option to limit the use and disclosure of sensitive information.

Businesses also must conduct due diligence assessments, such as audits, on their third-party vendors to ensure they are in compliance with CPRA’s personal information processing requirements.

Precisely Grey

Like any law whose text stretches to more than 75 pages and nearly 26,000 words, the specificity of CPRA is only as precise as the lawyers and regulators who interpret it. The primary grey area raising questions centers on exceptions that businesses may use to deny employee rights requests.

For example, if an employee requests data deletion, a business can deny the request to the extent that certain personal information is required for the employer-employee contract or relationship, such as information used to process payroll or provide benefits. In addition, certain jurisdictions may require employers to retain an employee’s personal information for a certain period of time. Similarly, CPRA provides the right to limit the use and disclosure of SPI, but this restriction applies to personal information used to infer characteristics, typically for marketing purposes. However, most employers don’t use SPI to infer characteristics about their employees, but for payroll and benefits purposes.

In addition, employees may request their employers correct certain information. Larger organizations, however, typically provide self-service capabilities that employees can use to update or correct personal information on their own. In other cases, a right provided under CPRA might not apply to the employee base. For example, if a business isn’t selling or sharing employee data with any vendors, contractors, or third parties, then the employer may not need to provide the right to opt out of the sale of data.

Regardless of the grey areas, businesses will need to develop processes to govern employee rights requests so they are acknowledged, accepted or denied, and responded to within the timeframe designated by the new regulation.

The Price of Noncompliance

The newly formed California Privacy Protection Agency (CPPA) will be responsible for enforcing privacy protection laws in the state, and it will have the authority to provide businesses that violate privacy regulations with time to remediate before any fines are levied. Organizations in default can be fined up to $7,500 per intentional violation and $2,500 per unintentional violation. In addition, any company knowingly violating any privacy laws protecting the data of minors can be subject to a $7,500 fine for each infraction.

Preparing for CPRA

Organizations should take steps now to comply with CPRA’s regulations that apply to employees, some of which may already be in place for CCPA compliance.

Data mapping and inventory. To process employee DSRs, employers will need to know where data resides. While a data inventory may exist for consumer data, businesses should conduct a data inventory of their human resources systems to identify the data collected about employees, why the data is collected, and how the data is shared with third parties.

Data storage and retention. Complementary to the data mapping exercise, employers will need to understand how they manage and store employee data, which is typically separate from customer data management systems. Companies may want to consider adopting data minimization principles to mitigate the risk of retaining employee data that is not necessary under the new regulation.

Privacy notices. Organizations should review their current privacy notices provided to employees, contractors and applicants to ensure they reflect the new rights under CPRA. Privacy notices should include any changes made under CPRA to address the processing of personal information, the length of time personal information will be maintained, and the categories of third parties with which the employer is sharing employee personal information. At the same time, companies should ensure they have updated data processing agreements (DPAs) with all relevant third-party vendors.

Security measures. Since CPRA requires employers to safeguard employee data, businesses should conduct regular risk assessments to determine potential privacy risks, and then develop a plan to address any compliance gaps.

California Represents a Starting Point

As employers in California evaluate the employee requirements of CPRA, they may want to re-evaluate how they collect, use, share and protect personal information across the enterprise, particularly if they do business outside the state. Since California passed CCPA, five other states have passed privacy legislation and dozens of others have privacy bills working their way through the legislative process. Employers preparing to comply with CPRA’s regulations for consumers and employers should look beyond California to build the privacy and compliance systems that can meet baseline requirements and scale to meet the growing number of state laws.

Complying with CRPA with Relyance AI

The Relyance AI platform supports the activities needed to comply with CPRA. At the foundation is Relyance’s live data inventory and map, which maps personal and sensitive data and SPI throughout the organization, including in HR systems. Relyance also includes data subject request management which automates much of this previously manual task. Learn more about how the Relyance AI Continuous Compliance Monitoring and Management Platform’s can benefit your organization by booking a demo.