All Employers with CA Employees
January 1, 2023
Contact HR On-Call
The California Privacy Protection Agency (CPPA) recently proposed draft regulations to implement the Consumer Privacy Rights Act of 2020 (CPRA). The CPRA itself amended and expanded the California Consumer Privacy Act (CCPA). While the CPPA has only begun its rulemaking process, employers should expect the proposed regulations to be implemented in most of its current form. Of special note, the proposed regulations do not limit rights for employees, job applicants, or independent contractors under the CPRA as they were under the CCPA.
The proposed regulations are extremely lengthy and employers should review them in their entirety. The following are some of the most notable requirements employers should prepare to implement.
Transparency. The proposed regulations add more requirements for the notice businesses must provide at the time of collection of sensitive personal information. This includes a list of categories of sensitive personal information to be collected, whether personal information is sold or shared, how long the business intends to retain each category of personal information or the factors used to determine the retention period, and if the business allows third parties to control the collection of the sensitive personal information as well as the names of the third parties.
Consent. If a business intends to use sensitive personal information for a purpose that is unrelated to or incompatible with the purpose for which that information was collected or processed, then the business must obtain explicit consent for that use. The method for collecting that consent must be symmetrical. For example, the method for saying “no” should be no more burdensome than the method for saying “yes”. The proposed regulations provide the example of using consent options of “yes” and “ask me later”. These are asymmetrical or a “dark pattern”. A dark pattern is anything that diminishes a consumer’s free choice or otherwise manipulates, subverts, or impairs that free choice.
Notice of Third Party Collection. A business that uses third parties to collect sensitive personal information must notify the consumer of the name of the third party at collection or provide information about that third party’s information handling practices in the notice at collection. This requirement applies whether the third party collects the information through a website or at the business’ physical location, like an internet service provider, for example.
Independent Contractors/Service Providers. An independent contractor or service provider who receives sensitive personal information from a business must be contractually limited to processing personal information for the business purpose for which it received the personal information. The business purpose must be listed with specificity in the contract. These third parties must also honor requests to delete or opt out of the sharing of personal information if requested by the consumer.
Right to Correct and Right to Delete. The proposed regulations provide more guidance to businesses on how to handle consumer requests to correct information. If the request for correction is burdensome, businesses may consider the totality of the circumstances: 1) the nature of the information, 2) how it was obtained, and 3) the documentation relating to the accuracy of the information. After verifying, businesses may comply with the consumer request by correcting the information or verifying accuracy or it may choose to delete the information if there is no negative impact to the consumer or the consumer consents. If the business deletes the personal information, it must notify all of their third- party independent contractors and service providers to also delete the information.
Right to Opt-Out and Right to Limit Sharing. The proposed regulations require businesses to process all consumer opt-out preference signals that are sent by a platform, technology, or other mechanism on behalf of a consumer expressing their consent to opt out or stop sharing personal information. Businesses must process these requests in a “frictionless manner” which means not charging a fee, not changing the consumer experience, and not displaying pop-ups or other content other than acknowledgment of the opt-out. Again, these requests from the consumer must be communicated to third-party independent contractors and service providers.
Data Minimization and Data Retention. Businesses must develop data retention policies and a data purge process. Collection, use, retention, and sharing of sensitive personal information must be reasonably necessary and proportionate to the original purpose for collecting it. The following are prohibited: use of geolocation through an app that is not primarily used for geolocating, sending personal information to a SaaS company for developing unrelated products or services, marketing another business’ products, and retaining consumer files after the consumer deletes their account.
Audit and Enforcement. The CPPA has much greater authority under the proposed regulations. They have a broad right to investigate without referral from another agency or a sworn complaint. They may also audit businesses, service providers, independent contractors, and individuals to ensure compliance with the CPRA. They may also initiate a proceeding where there is probable cause that the evidence supports a reasonable belief that the CPRA has been violated.
- Review the draft of the proposed regulations here. Continue to monitor the rulemaking process.
- Identify what information about employees is being collected and which departments may have this information.
- Evaluate which information qualifies as sensitive personal information under the CPRA and how that information is being used.
- Create a data retention policy and draft required notices.
- Create and implement processes for ongoing review of data and deletion compliant with the retention policy as well as procedures for handling employee requests to exercise rights under the CPRA.
- Review and revise independent contractor agreements to include limitations and business purpose for sensitive personal information.
- Subscribers can call our HR On-Call Hotline at (888) 378-2456 for further assistance.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2022 ManagEase