Consumer Privacy Protections for Employers Under the California Consumer Privacy Act

Employees right to data privacy.

Consumer Privacy Protections for Employers Under the California Consumer Privacy Act, as Amended by the California Privacy Rights Act (CCPA)

 

When the California Consumer Privacy Act (“CCPA”) originally took effect in 2020, it exempted employees from most of its provisions. This year, the California Privacy Rights Act (“CPRA”) finally extends major consumer privacy rights under the CCPA to employees and job applicants of covered employers. In addition to requiring covered employers to provide privacy notices at the time employee personal information is collected, the CPRA grants employees several new rights, including the rights to request what personal information their employers have collected and/or disclosed and to request that their employers delete their personal information, with some exceptions.

Covered employers do not need to – and in some instances may not – delete certain data, including where a business’s legal obligations require its retention, such as under California Labor Code Sections 1198.5(c) (retention of personnel files) and 226(a) (retention of payroll records). Among its other provisions, the CPRA also allows employees to opt out of the sale or sharing of their personal information and to limit the use of “sensitive” personal information, a new category of data under the CCPA that includes an employee’s social security number, driver’s license, and financial information, as well as race, ethnicity, and religion. The CPRA includes an anti-discrimination provision, which prohibits retaliation for the exercise of rights under the Act.

Though its provisions are wide sweeping, the CCPA focuses on larger companies and those engaged in the sale of data. It covers only companies doing business in California that fall within one of 3 categories: (i) businesses having annual gross revenues that exceed $25 million; (ii) those that annually buy, receive, share, or sell personal information of more than 100,000 consumers or households in California; or (iii) companies that derive at least 50 percent of their annual revenue from selling or sharing personal information of residents of California.