Final Regs Clear Path for Employers to Complete CPRA Compliance

​After months of uncertainty, the rulemaking process for the California Privacy Rights Act (CPRA), the first-ever comprehensive U.S. data privacy law applicable to HR data, concluded on March 29.

California employers can put the finishing touches on required notices and policies, distribute them, and take the other steps necessary to implement their compliance program.

Under the prior law, the California Consumer Privacy Act (CCPA), HR data was excluded except that California employers were required to provide applicants and employees in California with a brief notice at collection. 

Once the CPRA, which amends and supersedes the CCPA, went into effect on Jan. 1, this near-total exemption for HR data was eliminated. Employers must post an online privacy policy, ensure that contracts with service providers contain statutorily mandated language, and establish procedures so that applicants, employees and their dependents can exercise their new data rights.

The CPRA established a six-month grace period on administrative enforcement through June 30. The CPRA does not allow for a private right of action. Consequently, employers can put their compliance efforts into high gear without fear of litigation.

Given the overlapping disclosure requirements, many employers may wish to combine the notice at collection and privacy policy into one document. The final CPRA regulations confirm that combining the two notices is permissible, so long as the individual is directed to the specific section of the privacy policy that includes the information that must be included in the notice at collection.

To the extent the California Employer distributes a standalone notice at collection, the final regulations require that the notice at collection include a link to the business's privacy policy.

The final CPRA regulations depart from the statute with respect to the requirements for disclosures of personal information to external recipients. The statute requires disclosure of the categories of third parties to whom personal information is disclosed for any purpose, but the CPRA regulations require such disclosures made only for a "business purpose."

The final regulations also require that businesses include the following additional information points in the privacy policy, which are not specifically stated in the statute:

• Under the final regulations, the privacy policy must include a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age.
• The privacy policy must provide information on how an individual can implement opt-out preference signals, as well as an explanation of how opt-out preference signals will be processed. Opt-out preference signals will rarely apply in the employment context because employers generally do not "sell" or "share" personal information of HR Individuals.
• The privacy policy must include instructions on how an individual's authorized agent can make a request under the CPRA.
• The statute specifies that the privacy policy must include a description of an individual's rights under the CPRA and how to exercise those rights. The regulations add the requirement that the privacy policy include a general description of how the business will verify the individual's request. The privacy policy should explain that the employer will match identifying information provided by the individual to the personal information of the individual already maintained by the employer.
• The privacy policy must include a contact for questions or concerns about the business's privacy policies and the date the privacy policy was last updated.

New Vendor Contracting Requirement

The CPRA lists nearly a dozen clauses that California employers must include in their agreements with vendors that handle employees' personal information.

The final CPRA regulations, for the most part, parrot the CPRA's list of contracting requirements. The regulations add to the list only two requirements related to purposes of use. First, the vendor agreement must identify the specific business purposes for which the vendor is permitted to handle personal information.  Second, the agreement must state that the personal information is being disclosed to the vendor only for the specified business purposes. 

Data Rights

With regard to data rights, the regulations eased a few significant burdens, added many new requirements, and clarified several issues. Individuals have:

• The right to delete personal information.
• The right to correct inaccurate personal information.
• The right to know, which encompasses (a) the right to a disclosure about how the business collects, uses, and discloses the requestor's personal information and (b) the right to access the specific pieces of personal information obtained by the business.
• The right to opt out of sales of personal information.
• The right to opt out of sharing of personal information, meaning disclosure of personal information to third parties for behavioral advertising.
• The right to limit the use and disclosure of sensitive personal information.
  

First, the regulations add new notification and disclosure requirements to the process of responding to data rights requests.

The most substantial new disclosure requirement in the regulations obliges the business to explain the basis for denial when rejecting a right to know, delete, or correct. If the employer refuses to provide information in response to a request to know beyond the 12-month lookback period, the regulations require the employer to provide "a detailed explanation that includes enough facts to give [an individual] a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period."

The regulations also add a significant new timed notice requirement. The statute just requires that businesses respond to requests to know, correct, and delete within 45 days of receiving the request, with an option to extend the response period with notice and if "reasonably necessary." The regulations also require that the company confirm receipt of a request to know, delete, or correct within 10 business days of receiving the request.

Employers will have a continuing obligation regarding the accuracy of personal information amended in response to a request to correct. Under the regulations, whether the business has "implemented measures" to keep such personal information accurate "factors into" whether the business has "adequately complied with a … request to correct."

The regulations craft a new requirement for all such companies to comply with opt-out preference signals for sales and sharing of data. California Attorney General has signaled that he interprets the definition of "sale" very broadly. Some website cookies that make website visitor information available to third parties for analytics and advertising potentially could be construed as selling or sharing personal information. Employers' applicant web pages may use cookies that disclose data about applicants to third parties. HR and legal departments should work with their website managers to consider these issues.

The final regulations clarify that sensitive personal information "that is collected or processed without the purpose of inferring characteristics about [a California resident] is not subject to requests to limit."  Although employers collect substantial amounts of sensitive personal information, they typically do not use it to infer characteristics about an individual. As a result, the right to limit sensitive personal information generally will not apply to HR data.

The regulations lightened the load of complying with data rights requests in three key ways. The final regulations retained the exception to the right to know for relatively inaccessible personal information.  An employer need not comply with a request to know if the employer:

• Does not maintain the personal information in a searchable or reasonably accessible format.
• Maintains the personal information solely for legal or compliance purposes.
• Does not sell the personal information and does not use it for any commercial purpose.
  

The regulations limit the right to know in another significant manner by prohibiting employers from producing certain highly sensitive personal information in response to a request for specific pieces of personal information. The final rules do not allow employers to disclose items including Social Security numbers, login credentials, and health insurance numbers. This reduces a major risk for employers, which could be faulted for disclosing this information in response to a spoofed request or through some form of insecure means. Although businesses must verify the identity of the requesting individual, inevitably some bad actors may infiltrate the authentication process.

Employers need not delete or correct personal information on archived or back-up systems within the 45-day deadline. Instead, they can delete or correct the data when it is next accessed, used, or restored to an active system.

Employers must be mindful when collecting HR data, including new categories of personal information collected with consent. The collection should be limited to the "minimum necessary" to achieve the purpose for collection. From a practical standpoint, the purpose limitation within the CPRA regulations puts the onus on employers to consider two points:

• Employers must ensure that they consider all of the purposes for which HR data may be used.
• When new technology or systems are introduced into the workplace to process or store HR data, employers should have a process in place to assess whether the system's use of the personal information falls within the purview of a purpose identified within the notice at collection.
  

If the California authorities follow an enforcement strategy similar to their approach to the CCPA, the CPRA's predecessor law, they may just issue warnings and guidance for a year or so before pursuing fines and penalties. Nevertheless, employers should take advantage of the remaining window to finalize and post their privacy notices, execute their remaining vendor agreements, and ensure that their policies and procedures support their compliance with this demanding new law.

Kwabena Appenteng, Zoe Argento, Philip Gordon, and Denise Tran-Nguyen are attorneys with Littler. ©2023. All rights reserved. Reprinted with permission.