Regulatory policy

California Privacy Rights Act for Employers: Developing and Publishing a Privacy Policy for Human Resources Data

This is the fifth in a series of articles on the implications of the California Privacy Rights Act for employers..

The California Privacy Rights Act (CPRA), which takes effect on January 1, 2023, will impose specific notification obligations on the employer. In a previous article, we discussed the first type of notice required under the CPRA, the Notice of Collection, which explains how the employer will collect, use and retain personal information collected by the business. This article deals with the second type of notice required by the CPRA, namely a privacy policy that must be posted online or on the employer’s website.

Employers familiar with the CPRA’s predecessor, the California Consumer Privacy Act (CCPA), are likely aware that the CCPA exempts the data of employees, applicants, independent contractors, dependents, and other individuals in their capacity as HR (collectively, “HR People”) for most of its needs. As such, other than providing notice upon collection and implementing adequate safeguards to reduce the risk of statutory damages for information security breaches, the remaining obligations under the CCPA do not apply. do not apply to HR data. CPRA, however, ends the exemption for HR data and introduces new requirements for the handling of personal information, which includes the distribution of a privacy policy.

Content of the online privacy policy

Content required

The privacy policy must disclose the following:

  1. the categories of personal information collected by the employer in the previous 12 months;
  2. the categories of sources from which the personal information is collected;
  3. the business or commercial purposes for collecting, selling or sharing that personal information;
  4. the categories of third parties to whom the personal information is disclosed;
  5. the categories of personal information sold or shared for cross-context behavioral advertising purposes in the previous 12 months;
  6. the categories of personal information disclosed for business purposes in the previous 12 months; and
  7. the individual’s CPRA rights and how to exercise those rights, which includes, at a minimum, a toll-free telephone number and at least one other method for submitting rights requests.1

For more information on the rights of HR people, please see our previous articles explaining the data rights that HR people can exercise under the CPRA.2

Comparison with the notice to collection

At first glance, the information required in the online privacy policy may look very similar to that required in the collection notice. Indeed, there is a substantial overlap. The collection notice and privacy policy must disclose the categories of personal information collected and the purposes for which the information is collected. But there are also key distinctions between the two forms of notice.3

To begin with, the Notice to Collection is prospective, while the Online Privacy Policy is retrospective, providing information about the Employer’s information handling practices during the 12 months prior to the effective date. politics.4 Also, unlike notice at the time of collection, which can potentially cover only personal information collected at the time of notice, the privacy policy must be comprehensive, covering all data manipulations in the organization during the last 12 months. In concrete terms, this means that the CPRA privacy policy published on January 1, 2023 must cover the processing of data as of January 1, 2022. Therefore, employers should start tracking how they have handled information now. personnel from January 1, 2022.

Somehow, however, the privacy policy is not as comprehensive as the notice when collected. Unlike the notice upon collection, the privacy policy does not need to include information about data retention.

Opt-out options

Additionally, while the notice upon collection should only indicate whether the personal information collected is being sold or shared, the privacy policy should disclose specific categories of personal information that have been sold or shared in the previous 12 months. . As we’ve explained in our previous articles, however, most employer data-handling practices do not qualify as “selling” or “sharing” HR data, as those terms are defined in the CPR. In other words, most employers do not transfer HR data to third parties in exchange for monetary or other valuable consideration.5 Most employers also do not disclose personal information to third parties for cross-context behavioral advertising.6

For employers who do not sell or share HR data, their privacy policy must include a prominent statement that they have not sold or shared personal information in the past 12 months. For employers who sell or share HR data, the privacy policy should include a link to the web page where the individual can opt out of such sales and sharing.7

Finally, if the employer infers characteristics from sensitive personal information and uses or discloses that information for purposes other than a limited set of operational purposes specified by CPRA, the privacy policy must include notice and give individuals the ability to opt out of use or disclosure for these purposes.8 Like “selling” and “sharing”, the right to limit the use and disclosure of sensitive personal information will only very rarely apply in the employment context, as employers generally do not infer not the characteristics of this information.

Distribution of Privacy Policy

Posting “online”

The law requires that the privacy policy be posted: (a) in the company’s online privacy policy and any California-specific descriptions of individuals’ privacy rights; or (b) on its website.9 CPRA does not define what it means to post the Privacy Policy “online”. Therefore, in the absence of specific guidance to the contrary in the publication of the CPRA regulations, “online” could reasonably be interpreted to mean an employer’s intranet as long as HR people can access the privacy policy. Since candidates would not have access to a company intranet, employers using this approach should probably consider posting a separate privacy policy for candidates on their career website.

Combination with collection notice

Additionally, many employers may combine the collection notice and privacy policy into one document. The overlapping disclosures in each document will be substantially identical, particularly if the company’s prospective and retrospective treatment of personal information is substantially the same. Most likely, California regulators won’t object to combining the documents, because CCPA regulations specifically allow notice at collection to be included in a privacy policy. The release of the CPRA’s final rules later this year may provide more information on this issue.

Combination with other privacy policies

Similarly, many employers may wish to include the CPRA Privacy Policy or Notice of Collection within an existing privacy policy covering HR data. Employers may have implemented these existing privacy policies to comply with other data protection laws, such as the European Union’s General Data Protection Regulation, or simply for the sake of transparency. In this case, CPRA’s privacy policy can often be incorporated into a more general privacy policy. For example, the factual sections on how data is processed might apply to people in multiple jurisdictions, while the description of California privacy rights might be covered in a section specific to California residents.

Privacy Policy Update

Finally, CPRA requires that the Privacy Policy be updated “at least once every 12 months”.ten Because the Privacy Policy represents company data handling practices, employers should consider taking steps to update it for accuracy whenever there is a material change in the way which they process personal information of California residents. Additionally, companies may choose to schedule an annual review of their privacy policy to ensure no material changes are missed.

Privacy Policy Writing Steps

Given the amount of information that must be disclosed in a CPRA-compliant privacy policy, employers should strategize their compliance efforts well in advance of the January 1, 2023 effective date. We recommend consider proactive measures, such as the following steps:

1. Perform data mapping: The first step is often to map the relevant HR data. In other words, employers must determine the categories of personal information they collect from HR people, the sources of collection, the third parties to whom the personal data of employees is disclosed and the purposes for which this information is collected. This assessment will likely require coordination across multiple departments, stakeholders, and custodians to accurately report on the company’s information handling practices.

2. Determine how to separate or combine privacy policies: Employers should assess the extent to which they intend to create separate privacy policies for different populations or combine the privacy policy with other documents. For example, the employer may combine the CPRA Privacy Policy for Candidates with an existing privacy policy on the candidate’s website, but draft a separate CPRA Privacy Policy for Current Workers to be posted on its intranet. The employer may post another CPRA privacy policy for dependents, beneficiaries and spouses on its benefits portal.

3. Draft Privacy Policies taking into account employment risks: When drafting the privacy policy, employers should be careful not to inadvertently create risks under other laws relevant to the employment context. For example, bundling descriptions of how the company handles the personal information of employees and independent contractors could potentially increase the risk of misclassification lawsuits. Therefore, the labor lawyer should be closely involved in the drafting process.

4. Establish regular reviews: To ensure the continued accuracy of the privacy policy, employers should consider establishing regular review processes.