Roll with The Changes
If there is one thing that never changes for employers in California, it’s the need to keep up with frequent changes to the legal compliance landscape. The courts give us a moving target throughout the year with their decisions, which is challenging enough, but predictably our legislature heaps on more at the end of every year to ensure our holiday season respite is short lived as we are required to focus on implementation compliance for the new year. There are several new laws which go into effect January 1, 2023. O’Hagan Meyer is at your service to assist with any compliance questions, best practices policies and procedures.
California Privacy Rights Act
The California Consumer Privacy Act (CCPA) has been around for several years, but until now has specifically exempted personal information of consumers who are acting as a job applicant, employee, owner, director, medical staff member, or contractor of the business collecting their information. However, effective January 1, 2023, that exemption no longer exists based on the new California Privacy Rights Act (CPRA), which specifically eliminates the employer exemption. Therefore, employers must now consider compliance with both CCPA and CPRA as it relates to existing and prospective employee’s personal information.
Here are the key highlights.
What Personal Information is Covered?
The CPRA indicates “Sensitive Personal Information” includes anything that reveals an individual’s personal information, such as Social Security number, driver’s license number, state identification card, or passport number, log in information allowing access to any financial account, including account log in, debit card, or credit card number in combination with any required security or access code, password, racial or ethnic origin, religious or philosophical beliefs, union membership status and precise geolocation. This is not intended as an exhaustive list; but rather examples identified in the statute.
Notice of Collection
Businesses are already required under the CCPA to communicate to prospective and existing employees a notice of collection, the types of personal information collected and for what it will be used. These notices should be updated, or created if not in current use, to comply with the additional notice requirements, including information about rights to review, the right to delete, the right to correct, the right to non-discrimination for exercising rights and the right to opt out of the sale of personal information and retention periods, and the right to limit the use and disclosure of sensitive personal information.
Business to Business Transactions
The CPRA covers contracts and interactions with outside vendors used by employers which handle employee personal information, such as payroll and benefits management companies. An employer can be held liable for breaches by these vendors when they knew, or should have known, they were out of compliance resulting in a prohibited breach.
Conclusion
As if we don’t have enough already, the CPRA creates a new State administrative agency, the California Privacy Protection Agency, which will be responsible for enforcement and interpretive regulations. As always, the courts will add their two cents going forward. In the meantime, as January 1, 2023 quickly approaches, it is critical that businesses with employees in CA review existing personal information protocols and make appropriate adjustments. Employers must respond fairly quickly to any request by an existing, prior or prospective employee to exercise their newfound rights, so it is critical to plan ahead.