California Workers Gain New Data Privacy Rights in 2023: Is Your Business Ready?

New Year’s Day will bring significant new data privacy obligations for businesses that employ California residents. Although enforcement by state regulators will begin July 1, 2023, the new California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA), effective January 1, 2023, to require companies subject to the CCPA to extend personal information privacy rights to their workers (past and present), officers, directors, medical staff members, independent contractors, and job applicants.¹ This means that businesses will have to provide a notice and privacy policy covering collection, use, and transfer of personal information and offer these individuals the right to request copies, correction, and deletion of their personal information, among other rights. This change dramatically expands worker privacy rights and increases the obligations of companies with California workers. With this change, California will be the first state to extend consumer data privacy rights to workers, in contrast to data privacy laws enacted in the past year in Colorado, Connecticut, Utah, and Virginia, all of which permanently exempt worker personal information from their requirements. 

Companies with workers who are California residents should prepare for these changes to take effect by taking steps now to identify, organize, and establish processes for responding to requests concerning their worker and job applicant personal information, review their agreements with third parties, and revise notices of collection and privacy policies to ensure they are in compliance by January 1.

Expiration of the CCPA’s worker exemption

The CCPA, which took effect on January 1, 2020, initially exempted from most of its provisions personal information collected from job applicants, workers, officers, directors, independent contractors, and medical staff members to the extent that the personal information is collected and used by the business solely within the context of the individual’s current or former business role. The only provision that applied to worker personal information specifically was the obligation to provide a “notice at collection,” listing the categories of personal information collected, the purpose of the collection, and the source of the personal information collected. The exemption was initially anticipated to expire on January 1, 2022. However, in 2021, California voters approved Proposition 24, enacting the California Privacy Rights Act (CPRA) and extending the worker exemption until January 1, 2023. While Assembly Bill 1102 was introduced in the California Legislature earlier this year to extend the exemption until January 1, 2025, the bill was never presented for a vote during the Legislature’s regular session, meaning that the exemption will expire at the end of this year. Consequently, businesses with California workers will have to respond to their worker’s data privacy requests invoking one or more of the rights discussed below beginning January 1, 2023.

Who must honor worker data privacy rights

A business must comply with worker data privacy requests beginning in January if the company is a for-profit entity that does business in California, collects and determines the purpose and means of processing workers’ personal information, and meets one of the following thresholds for CCPA application: (a) the business has a gross annual revenue from the prior calendar year that exceeds $25 million (adjusted for inflation), (b) the business annually buys, receives, shares, or sells the personal information of more than 100,000 California consumers or households, or (c) the business derives at least 50 percent of its annual revenue from selling or sharing the personal information of California residents. If the business is not covered under CCPA’s existing requirements, it is not covered by the CPRA either.

New worker data privacy rights

Under the CCPA as modified by the CPRA, workers will have expanded rights with respect to their business’s collection, use, and disclosure of their personal information (listed below). Businesses must respond to the following worker data privacy requests within 45 days (which may be extended up to a total of 90 days “taking into account the complexity and number of the requests”). It will be important for the business to assess the extent to which it has a basis for denying or limiting its response to these requests. Businesses may deny a worker’s request if responding “proves impossible or would involve a disproportionate effort,” but a business that fails to put in place adequate processes and procedures to receive and process requests cannot claim that responding to a consumer’s request requires disproportionate effort, as defined in the regulations. Denial may also be justified to the extent necessary to comply with legal obligations, exercise or defend legal claims, or cooperate with a law enforcement agency. 

• The right to know what personal information is collected, sold, and shared: Workers can request both the categories and specific pieces of personal information the business collects about the worker, as well as the purpose for collection and sale, if applicable. A business can reject or limit the scope of a request to the extent that it seeks this information collected and maintained prior to January 1, 2022, or is “manifestly unfounded or excessive, in particular because of their repetitive character.” But if the business denies the request, the business must provide a detailed explanation of its refusal to the worker. The right to know is more expansive than the right to delete, reaching all personal information held by the business, not just information collected from the worker. This means that a business would need to be prepared to gather a wide variety of information if a worker requests all of their personal information.
• The right to delete personal information: A worker can request that the business delete personal information “collected from” the worker with some exceptions. Businesses need not delete worker personal information collected from sources other than the worker or generated by the business. Businesses can deny a request if the personal information is necessary within the context of the worker relationship or necessary to comply with the business’s legal obligations. For example, California Labor Code § 1198.5 requires businesses to retain certain records for three years after the worker’s termination. A similar requirement applies to payroll records under California Labor Code §226(a). Thus, to comply with these and any other applicable provisions, a business need not delete such records at the worker’s request.
• The right to correct inaccurate personal information: Workers can request that the business correct their inaccurate personal information. When evaluating the accuracy of the personal information at issue, a business must consider the “totality of the circumstances” relating to the contested personal information and use “commercially reasonable efforts” if corrections are necessary. A business may require the worker to provide documentation supporting the requested correction and may delete the information instead of correcting it if deletion does not negatively impact the worker. 
• The right to opt out of sale or sharing of personal information: Workers can request that the business not sell or share the worker’s personal information. The sale of personal information is broadly defined to include nearly any transfer of personal information to a third party for monetary or other valuable consideration. Sharing information is defined as the transfer of personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. Businesses should evaluate whether their transfer of worker information to human resources vendors and others could arguably constitute a sale. In addition, businesses should assess their current agreements with such vendors to ensure they comply with the proposed regulations under the CPRA requiring such contracts to have certain protections.
• The right to limit use and disclosure of sensitive personal information: Workers can request that the business limit disclosure and use of their sensitive personal information to the uses that an average worker would expect are reasonably necessary to maintain the worker relationship. Sensitive personal information is a new category of information in the CPRA that includes the processing of biometric information for the purpose of uniquely identifying the worker, personal information collected and analyzed concerning a worker’s health, sex life, or sexual orientation, and any personal information that reveals certain private information including a worker’s social security, driver’s license, state identification card, or passport number; financial account information and access credentials, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of a worker’s communications, or genetic data. This limitation only applies to businesses that collect and use sensitive personal information to infer characteristics about workers. 
• The right against discrimination or retaliation: Workers have the right to exercise the data privacy rights listed above without discrimination or retaliation by the business. For example, a business cannot discipline or terminate a worker for making a legitimate CCPA request.

New requirements for notice of collection and privacy policy

Under the CPRA, businesses must provide their workers with both (a) a notice of collection at or before the point of collection of their personal information; and (b) a privacy policy describing the personal information collected in the past 12 months, explaining the worker rights under the CCPA and how to exercise them. The CPRA requires the notice of collection to contain more than its CCPA predecessor. Namely, a business must inform workers of (1) the categories of personal information collected or used, the purposes for which they are collected, and whether that information is sold or shared; (2) the categories of sensitive personal information collected, the purposes for which that information is collected or used, and whether that information is sold or shared; and (3) the length of time the business intends to retain each category of personal information, or if that is not possible, the criteria used to determine that period. Businesses may not retain personal information longer than is reasonably necessary to satisfy the disclosed purpose for which it was collected. 

Data processing agreements

The CPRA expands requirements of data processing agreements (DPAs) executed between a business and third parties, including vendors that handle worker and job applicant personal information. Under the CPRA, a business that sells or shares personal information of a consumer (or worker) with a service provider, contractor, or third party (any other entity to which a business transfers personal information) must enter into an agreement with that entity “for a business purpose” that incorporates the following requirements:

• Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
• Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.
• Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under this title.
• Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.
• Grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

Enforcement

The California Attorney General and the California Privacy Protection Agency (CPPA) hold joint authority to enforce the CCPA as amended by the CPRA. The CPRA makes no change to the limited, private right of action available to consumers (including workers) whose personal information is the subject of a security breach. Beyond this limited private remedy, either the Attorney General or the CPPA may bring an administrative enforcement action to seek administrative fines of $2,500 per violation or $7,500 per intentional violation involving the personal information of a consumer whom the business knows is under 16 years old. The Attorney General has signaled that his office intends to continue to aggressively enforce the CCPA. On August 24, 2022, the Attorney General’s office announced the first CCPA enforcement action settlement, requiring a retail cosmetics company to pay penalties of $1.2 million to resolve allegations that it violated the CCPA’s requirement to disclose the sale of personal information and the requirement to permit consumers to opt-out of the sale of their personal information.

The Attorney General’s enforcement capabilities will be strengthened by the expiration of the statute’s notice and cure provision. The CCPA requires that a business allegedly violating the CCPA be provided notice of the alleged violation and 30 days to cure it. This notice and cure provision expires on January 1, 2023. Although enforcement of the CPRA’s provisions will not begin until July 1, 2023, the Attorney General and CPPA will be empowered to bring civil actions to enforce the statute’s mandates without providing businesses time to cure alleged violations. For this reason, businesses need to make sure they are in compliance by January 1, 2023, if possible, and certainly no later than July 1, 2023, when enforcement commences. 

Practical Steps to Prepare

There are several steps businesses should take to prepare for the changes that take effect in January.

• Businesses should inventory their recruitment and worker data to determine what types of information will be subject to the expanded notice requirements and privacy rights. Identifying any personal information considered sensitive personal information is particularly important. The inventory process may require consideration of data stored in systems separate from those that store sales and customer data and information held and collected by service providers.
• Businesses should review their policies for compliance with the CPRA and the requirements of the CPPA’s draft regulations, which will likely be in near final form by the end of the year. 
• Businesses should establish or revise written policies and procedures to govern requests for information from job applicants and workers and evaluate legal and other obligations that justify denial or a limited response to these requests. This may include drafting a standard form, webform, or establishing other channels for worker and applicant requests and business responses.
• Businesses should review whether and how recruitment and worker data is sold, shared, or disclosed to third party entities and understand the role Data Protection Agreements play in governing these transfers.
• If necessary, businesses should clarify vendor responsibilities within DPAs to require prompt, precise, and thorough assistance with data rights requests regarding personal information held or processed by the vendor.

¹ For simplicity, we refer to all of these categories with the term “worker” here. Although we focus on how these CCPA changes apply in the business-worker context, the data privacy rights we discuss here may be exercised by all California consumers.

© 2022 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.