California Privacy Rights Act Set to Apply to HR Data Effective January 1, 2023
By Phileda Tennant and Olivia Hinerfeld
On January 1, 2023, absent intervention from the California legislature, the nation’s first comprehensive data privacy law, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), will not only regulate consumer data but will also regulate previously exempt human resources data as well. The CPRA will apply its heightened data protection requirements regarding limiting processing of sensitive personal information, deletion, and access to the personal information of California employees, job applicants, and contractors.
The CPRA significantly impacts the U.S. data privacy landscape, as we previously wrote when the Act was passed via ballot initiative. The CPRA’s amendments and expansions to the CCPA align the data protection regime for California residents more closely with that of the EU General Data Protection Regulation, placing new limits on companies’ collection and use of personal information and creating a new enforcement arm called the California Privacy Protection Agency. The CCPA and CPRA – including their protections for HR data – will now apply to all businesses that process the personal information (“PI”) of California residents and either (1) gross at least $25 million in annual revenue, or (2) buy, sell, or share the personal information of at least 100,000 consumers, or derive fifty percent or more of annual revenue from selling or sharing consumer PI.
The CPRA’s impact on Californian’s HR data – such as employee performance reviews, attendance records, and other documents – includes creating a right (under certain circumstances) to delete, correct, review and request production of data. It also gives employees advanced privacy notices, lets employees block the sale and sharing of their private information, and prohibits retaliation against employees for exercising these rights.
In light of the impending effective date of the CPRA, as amended, employers should begin to develop compliance programs and take stock of the CPRA’s impact on their data. Privacy professionals were hoping the regulations to be issued by the CPPA would shed better light on the full scope of expectations with respect to HR data but those regulations have been delayed until Q3 or Q4 2022. Therefore, waiting for the regulations may not be a prudent approach.
In developing compliance programs, companies must determine whether to apply the provisions of the CPRA nationally or to just California residents. There is no one-size-fits-all answer, but companies must clearly begin to prepare with respect to California residents. Adopting a uniform national approach may anticipate similar laws in other jurisdictions and be easier administratively. On the other hand, limiting the application of the law to California residents acknowledges that other jurisdictions may enact materially different requirements. A middle-ground approach could be to craft a privacy program with “California only”, “Virginia only”, Colorado only, etc. sections.
Companies looking to develop a compliance program also need to consider how they will identify the places where data covered by the CPRA is stored. A survey of organizational stakeholders may be useful or necessary to identify the places where HR data is stored, which may, depending on the circumstances, range from traditional HR databases, payroll systems and recruitment tracking platforms, to OSHA records and workers’ compensation files. Companies will also need to consider third-party HR vendor records.
The penalty for violating the CPRA can range from $2,500 a day for unintentional breaches to $7,500 a day for intentional breaches. While preparing for CCPA and CPRA compliance, we encourage you to reach out to outside counsel to discuss the best approach for your business.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.