Employee Privacy and Data Protection Under CPRA and Other State Laws

Description

On Jan. 1, 2023, businesses subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA) will need to reconsider their privacy practices concerning their customers' personal information and their employees’ personal information.

Businesses subject to the CPRA must draft new, or update existing, personnel privacy policies that disclose the personal information they collect in the employment context, including employees, job applicants, and contractors. Privacy policies will now need to include additional disclosures regarding data retention periods or criteria used to determine such periods and more detailed disclosures regarding types of data collected, including sensitive data. Updated privacy policies will also need to offer employees certain rights that formerly only applied to other types of consumers, such as website users and customers, under the CPRA.

Businesses must consider where to display and disclose these privacy notices as they must be available at the time of collection. Thus, companies should include the privacy notices on job applications and recruiting website pages and, for existing personnel, distribute internally in addition to posting on the business intranet.

Under the CPRA, personnel can request access to data retained by the business or ask that such data be deleted, and subject to a few exceptions, companies will need to act swiftly within the mandated 45-day period (with an optional 45-day extension) to provide or delete data. Employees will acquire other rights, such as the right to correct inaccurate data about them and to restrict the use of sensitive information in employee files.

Businesses with personnel across various states should consider if they want to offer the same rights to all personnel or only California-based personnel. Other state laws differ, further complicating the landscape and considerations. Before starting to update any documents, businesses must have a clear understanding of their data collection practices.

A business must conduct detailed data mapping exercises to know where their data is stored, not only to update their policies but also to appropriately and efficiently respond to a user's request for access, deletion, or correction. Businesses will need to update their privacy and data retention policies and practices.

Listen as our expert panel discusses how the CPRA directly affects employee data collection and retention and how this law will ultimately affect employee policies and practices.