By: Diane Byun
Effective January 1, 2023, the California Privacy Rights Act (“CPRA”) expands and amends the California Consumer Privacy Act (“CCPA”), making it the first comprehensive U.S. data privacy law to afford protections upon human resources data. Such data includes personally identifiable information (“personal information”) of applicants, employees, independent contractors, dependents, and other employment-related information of California residents (collectively, “Employees”).
Among other things, the CPRA restricts the processing of sensitive categories of personal information for limited purposes, otherwise they must notify Employees of the additional purposes and provide Employees the opportunity to opt-out of such processing. At the same time, understanding the role of sensitive data points is a critical aspect of initiatives relating to diversity, equity, inclusion, and accessibility (“DEIA”). How does an employer reconcile this apparent clash?
Who Must Comply
Employers should first determine whether they are covered by the landmark California privacy law. At present, the CCPA applies to for-profit entities that do business in California and meet any of the following thresholds:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
As of January 1, 2023, the “original” version of the CCPA dissipates. Employers will be covered by the surviving CPRA to the extent they are a for-profit entity that does business in California, collects personal information from California residents, and satisfies at least one of the following thresholds:
- As of January 1 of the calendar year, has annual gross revenues in excess of $25 million in the preceding calendar year;
- Alone or in combination, annually buys or sells, or shares the personal information of 100,000 or more consumers or households; or
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Employers that do not meet these criteria could still be subject to the CPRA if they:
- Own or control a business defined by the CRPA; or
- Share common branding with a business and with whom the business shares (or receives) Consumers’ personal information.
Notably, to qualify under the CPRA’s common branding category, the information from the covered business must be for cross-context behavioral advertising purposes.
Overview of Notice Requirements
Prior to January 1, 2023, covered employers must ensure execution of proper notice at collection. Although human resource date is exempt under the CCPA, covered employers must issue privacy notices to their Employees with an initial disclosure, at or before the point of collection. This initial disclosure must identify the categories of personal information collected and the purposes for which the categories of personal information shall be used, likely triggering notice requirements for the collection of diversity-related personal information. If the employer sells the human resource data, then the notice at collection must include a Do Not Sell link. The disclosure must also contain a link to the employer’s CCPA-compliant privacy policy.
Once effective, the CPRA signals the end of the temporary carve-out for human resources data, affording Employees with the same rights that have applied to general consumers since 2020. In relation to notice requirements, the CPRA mandates that a covered employer that controls the collection of an Employee’s personal information must also disclose the following at or before the point of collection:
- the purpose for which categories of both sensitive personal information and personal information are collected or used;
- whether this personal information is sold or shared; and
- the employer’s retention policy.
This notice requirement may be fulfilled by way of a privacy policy detailing how human resource data is processed, including a description of the various privacy rights available to Employees under the CPRA, including:
- Right to Access: The CPRA allows an Employee to make a request to know the specific pieces of personal information an employer holds about them that were generated on or after January 1, 2022.
- Right to Correct: Employees may request that their employer correct any inaccurate personal information that has been collected.
- Right to Delete: Employees may request that their personal information be deleted.
- Right to Restrict: Employees have the right to restrict the use of their sensitive personal information to specific business purposes or limited disclosures.
- Right to Opt-Out of Sale or Sharing: Employees can opt out of the sale or sharing (as defined by the CPRA) of their personal information by their employer to a third party.
- Right to Know: Employees may request from their employers the personal information that has been collected about them during the preceding 12 months.
In addition to the above, employers covered by the CPRA will be required to:
- Comply with the new privacy right obligations regarding human resources data;
- Safeguard human resources data against unauthorized disclosures; and
- Include specific CPRA provisions in contracts with third parties that process human resources data.
What is Sensitive Personal Information?
The CPRA’s definition of “sensitive personal information” includes the following types of data, all of which employers often collect:
- Social Security number;
- Driver’s license number;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Union membership;
- Personal mail, email, and text messages;
- Precise geolocation;
- Biometric information for the purpose of unique identification; and
- Personal information collected and analyzed concerning an individual’s health.
The Right to Limit the Use and Disclosure of Sensitive Personal Information
On May 27, 2022, the California Privacy Protection Agency released its draft CPRA regulations, operationalizing the new right to limit the use of sensitive personal information under the CPRA. The draft regulations add Section 7027, concerning consumer requests to limit the use and disclosure of sensitive personal information. The primary focus of Section 7027 is to provide consumers, including Employees, the ability to limit use and disclosure “to that which is necessary to perform the services or provide the goods reasonably expected.” Employers that process sensitive personal information for certain purposes must provide a notice of such processing at or before the point of collection. Covered employers using or disclosing sensitive personal information would be required to provide two or more designated methods for submitting requests to limit, and at least one of the methods must reflect the manner in which the business primarily interacts with the consumer (e.g. by restricting processing to only permissible purposes through a “Limit the Use of My Sensitive Personal Information” link).
Regardless of the implementation of Section 7027, covered entities are permitted to use or disclose sensitive personal information without being required to offer consumers a right to limit when the information is necessary to perform the services reasonably expected by an average consumer who requests those goods or services; to detect security incidents to resist malicious or illegal attacks on the business; ensure the physical safety of natural persons; for short-term, transient use; perform services on behalf of the business; or verify or maintain the quality or safety of the business. How the foregoing will specifically apply to Employees’ sensitive personal information is yet to be seen as the proposed regulations of the CPRA continue to be reviewed by the California Privacy Protection Agency.
The right to restrict sensitive personal information, however, only applies to sensitive personal information that the covered Employer uses with the purpose of “inferring characteristics” about the Employee. If the information is not collected and used by the employer for the purpose of drawing inferences about Employees, such data can be listed as personal information in the required disclosure within the other categories of personal information collected by the employer. This may seem like a benign distinction, but identifying the data delta will be crucial for employers to avoid unnecessary notice requirements. If a covered employer discloses the collection of sensitive personal information, this will likely lead to, at a minimum, an increase in inquiries from Employees regarding such processing practices. The incorporation of these categories of information within a list of general categories of personal information collected may enable covered employers to avoid an increase of human resources issues as they would only have to disclose those categories of information that are generally designated as “sensitive,” such as social security numbers.
What is an Inference?
On March 10, 2022, the Office of the Attorney General of California (“OAG”) explained that inferences could include “a characteristic deduced about a consumer (such as ‘married,’ ‘homeowner,’ ‘online shopper,’ or ‘likely voter’) that is based on other information a business has collected (such as online transactions, social network posts, or public records),” and established a two-prong test for determining when “inferences” are “personal information” that must be disclosed to consumers under the CCPA.
First, the inference must be derived from an analysis of personal information subject to the CCPA (as well as the CPRA, once effective). This prong is satisfied given the inherent nature of human resources data. Covered entities are deemed to “collect” such inferences even if they are derived internally from other information that has been collected.
Second, the inference must be used to create a profile on the consumer or “predict a salient consumer characteristic.” The OAG limited the scope of inferences that must be disclosed to those used to predict, target, or otherwise affect consumer behavior. In other words, inferences used solely for internal purposes, such as to complete the address on file for a consumer, are not covered. Should the inferences be utilized to determine a consumer’s propensities, they become part of the consumer’s profile and must be disclosed.
At present, the scope and definition of such inferences and characteristics as applied to Employees’ sensitive personal information is yet unknown as the opinion was issued in relation to the CCPA. This may change as the California Privacy Protection Agency finalizes its regulations in the coming months.
Bridging the Gap
Despite the new CPRA obligations, covered employers may be able to execute their DEIA initiatives by (1) incorporating algorithmic bias training in the training programs required by the CCPA; and (2) relying upon existing legal requirements to collect certain sensitive human resource data.
Covered employers must ensure that all individuals responsible for privacy compliance or handling responses to data inquiries are informed of all requirements of the CCPA/CPRA, as applicable. This includes training on providing clear instructions on how to exercise data privacy rights. Covered employers are also required to establish, document, and comply with a training policy if they know, or reasonably should know, that they buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of 10 million or more consumers (including Employees, post-2022) in a calendar year.
In connection with the requisite data privacy training, covered employers may educate trainees about the risks of algorithmic bias to promote DEIA and decrease discrimination risks within the organizational culture. Employers can remain compliant while actively promoting DEIA by training key privacy personnel about how artificial intelligence tools have resulted in discrimination in recruitment and other employment decisions. Suggested topics include the EEOC’s recent initiatives highlighting the impact of algorithmic bias in perpetuating bias or creating discriminatory barriers to jobs; the FTC’s ban on the sale or use of racially biased algorithms under the FTC Act; and California’s Fair Employment and Housing Council’s proposed regulations to limit an employer or covered entity’s ability to use qualification standards, employment tests, algorithms, or other criteria that screen out or tend to screen out protected individuals or groups, unless job-related and consistent with business necessity.
Additionally, covered employers may collect diversity data points while remaining compliant by way of reliance on existing laws. For example, Title VII of the Civil Rights Act of 1967 requires employers with at least 100 employees to submit an EEO-1 report to the EEOC. The EEO-1 covers the racial/ethnic and gender composition of the employer’s workforce by specific job categories. On the state level, private employers with 100 or more employees in California are required by California Government Code section 12999 to maintain and report employee pay data for specified job categories by gender, race and ethnicity. Covered employers with less than 100 employees should utilize anonymous self-reporting systems to obtain the requisite data points to inform policies and practices relating to DEIA initiatives. This can be implemented by surveying employees periodically, requesting updated profile information, and allowing employees to anonymously self-identify. No matter the method of data point procurement, employers should conduct regular data mapping and proper algorithm audits. Proper implementation of mapping and audits will require stakeholder engagement, including developers, sales representatives, client managers, users, and policy makers.
The protection of personal information and prevention of discrimination should be a priority for all parties. Accordingly, employers should evaluate their privacy policies and practices to ensure both compliance and DEIA in the workplace.
Diane Byun (CIPP/US) is a data privacy and transactional associate with Reicker, Pfau, Pyle & McRoy LLP. Diane counsels companies on compliance issues relating to data privacy laws and regulations with a particular focus on the California Consumer Privacy Act (CCPA). Diane also supports companies on matters involving data mapping, legal analysis of data processing, and drafting privacy policies, and terms of service.