Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
This is the second in a series of articles about the implications of the California Privacy Rights Act for employers.
The California Privacy Rights Act (“CPRA”), which goes into effect on January 1, 2023, grants six new rights to California residents in their roles as employees, applicants, independent contractors, and other human resources members (“HR Individuals”).1 In our previous article in this series, we covered how the rights to know, correct, and delete personal information apply to employers.2 This article covers the three other rights. Two of these are the right to opt out of the sale or sharing of personal information, and the right to restrict the use and disclosure of sensitive personal information, by the employer and employer’s vendors. The last right is the right of HR Individuals not to be discriminated against for exercising these rights.
This article discusses how the definitional limitations, and exceptions to, these rights apply in the employment context. Additional key points are procedural requirements to respond to requests and the role of service providers to assist with compliance. The discussion ends with practical recommendations on preparing for these three data rights.
The analysis in this article is based on the CPRA’s text only. The CPRA sets a deadline of July 1, 2022, for the publication of final regulations. Those regulations could result in modifications to this analysis.
The Scope of the Data Rights and Key Exceptions
The key to understanding the impact of the data rights on employers is to understand how the CPRA defines and limits each right. Due to definitional limits, the rights to opt out of the sales and sharing of personal information and to restrict sensitive personal information should not apply to many employers. If they do apply, however, the burdens are onerous.
Sales
In the right to opt out of sales, the crucial issue is what constitutes a “sale” of personal information. The CPRA defines “sale” as “communicating … personal information ... to a third party for monetary or other valuable consideration.”3 This might seem so broad as to encompass any sharing of personal information, but the definition contains two key limitations.
First, “sale” includes transfers to third parties only. The CPRA defines “third party” to exclude “service providers” and “contractors.”4 This considerably narrows the scope of the transfers that might qualify as sales for employers. Although employers transfer HR data to many parties, they typically do so in the context of outsourcing HR functions to vendors. Therefore, employers can reduce the risk of transfers being deemed “sales” by ensuring that vendors meet the CPRA’s definition for “service provider” or for “contractor.”
These terms are defined quite similarly. Both are entities to which a business transfers personal information for a “business purpose” subject to a contract that includes specific provisions required by the CPRA.5 This puts the onus on employers to ensure that their vendors sign contracts (a) containing these provisions and (b) limiting the vendor’s use of the personal information to performing services on behalf of the employer. Performing services on behalf of the business is one of the purposes that qualifies as a “business purpose” in the CPRA.
Second, California case law has generally limited “valuable consideration” to a bargained-for exchange between the parties, typically explicitly stated in the contract.6 Nevertheless, the employer should closely scrutinize transfers, especially transfers to parties that have not signed a CPRA-compliant agreement, to ensure that the company does not receive some valuable consideration in exchange for the data.
For example, a contractor that analyzes workplace productivity might provide the employer with a discount if it can retain personal information about employees’ behavior on the company’s electronic systems for its own purposes. If the employer wishes to avoid the CPRA’s opt-out right, employers should reject these types of arrangements. Employers also should consider adding provisions to contracts clarifying that the employer does not receive any benefit specifically in exchange for sharing data.
Sharing
Due to the narrow definition of “sharing,” the right to opt out of sharing will apply even less frequently to employers than the right to opt out of sales. The CPRA defines “sharing” as “communicating … personal information by the business to a third party for cross-context behavioral advertising ….”7 “Cross-context behavioral advertising” means “the targeting of advertising” to an individual based on personal information collected about that individual from their activity across businesses, websites, and other services. With the possible exception of some employee discount programs, employers almost never use HR data for cross-context behavioral advertising. Moreover, even if a company shares an employee’s personal information for cross-context behavioral advertising in their role as a consumer of the company’s products or services, the company can handle CPRA compliance through its consumer-oriented compliance program.
Sensitive Personal Information
Like the right to opt out, the right to restrict sensitive personal information also seems, at first blush, to impose sweeping limitations on employers. The CPRA’s definition of “sensitive personal information” includes the following items, all of which employers often collect:
- Social Security number;
- Driver’s license number;
- Racial or ethnic origin;
- Religious or philosophical beliefs;
- Union membership;
- Personal mail, email, and text messages;
- Precise geolocation;
- Biometric information for the purpose of unique identification; and
- Personal information collected and analyzed concerning an individual’s health.8
The CPRA’s right to restrict sensitive personal information, however, only applies to sensitive personal information that the business uses with the purpose of “inferring characteristics” about the individual.9 Unfortunately, the CPRA leaves the meaning of “inferring characteristics” somewhat ambiguous. In particular, the term “characteristics” is undefined. We may obtain more clarity on this issue by next summer. The CPRA delegates to the California Attorney General the task of defining in more detail what “inferring characteristics” means in the CPRA’s regulations, which should issue by July 1, 2022.
In the meantime, based on the common meaning of the phrase, it seems quite unlikely that employers would use this information to “infer characteristics” about HR Individuals. Employers tend to use sensitive personal information in its direct sense, e.g., using a Social Security number to identify an employee for tax purposes. Indeed, in many cases employers are legally prohibited from making assumptions about HR Individuals on the basis of these types of information. For example, inferring how an employee might act based on race, ethnic origin, or religion almost certainly would violate numerous discrimination laws.
The Right to Opt Out of Sales and Sharing
If the employer “sells” or “shares” HR data, then it must describe the sale or sharing, and the right to opt out, in its privacy policy.10 The employer also must provide a conspicuous link on its internet homepage to a webpage where the California resident can opt out of the employer’s sales or sharing. In practice, the employer must then ensure that it no longer shares the HR Individual’s personal information in any context that constitutes a sale or sharing. Of course, carving out a specific individual’s data from such data transfers may be technically difficult.
The Right to Restrict Sensitive Personal Information
The rules for restricting sensitive personal information are similar. If the business collects sensitive personal information, it must disclose details of its handling of sensitive personal information. In addition, if the employer uses or discloses sensitive personal information for purposes other than a set of exempted purposes specified by the CPRA, then the employer must describe the right of California residents to restrict the use and disclosure of sensitive personal information to these exempted purposes. The exempted purposes are limited to: (a) security; (b) quality control; (c) short-term transient use; (d) performing services on behalf of the business; (e) uses necessary to provide goods or services reasonably expected by a California resident who requests those goods and services; and (f) purposes added by the CPRA’s regulations.11 Finally, similar to the right to opt out, the employer must provide a conspicuous link on its internet homepage to a webpage where the California resident can restrict the employer’s uses and disclosure of sensitive personal information to the exempted purposes.12
Again, all of these obligations regarding sensitive personal information – the obligation to add information to the privacy policy, to describe the right to restrict, and to provide an option to restrict – only apply if the employer uses sensitive personal information to “infer characteristics” about the California resident. For most employers, their use of sensitive personal information is unlikely to meet this standard.
The Anti-Retaliation Right
Finally, California residents have a right not to be discriminated against for exercising any of the CPRA’s six data rights. For employees, applicants, and independent contractors, the CPRA specifies that the right to non-discrimination means a right against “retaliation” for asserting the CPRA’s data rights. The word “retaliation” is likely intended to draw on the broad definitions of that term under California employment law. This means that any adverse employment action resulting from the HR Individual’s effort to exercise their rights could be deemed “retaliation.” The CPRA does not, however, grant a private right of action for retaliation or for violation of any of the CPRA’s other data rights. Instead, a new California agency created by the CPRA, the California Privacy Protection Agency, will enforce the data rights component of the CPRA.
Service Providers
The CPRA requires employers to pass down to service providers and contractors the obligations of the CPRA in the service agreement with respect to the employer’s personal information.13 As a result, even if a service provider or contractor is not directly subject to the CPRA, it is contractually obligated to comply with the CPRA’s rules regarding data rights. In addition, the CPRA imposes affirmative obligations on service providers and contractors. If the employer informs the service provider or contractor of a request to opt out of selling or sharing the employer’s personal information, or of restrictions on use of the employer’s sensitive personal information, the CPRA requires the service provider or contractor to comply with the opt-out request or restrictions.14
Procedural Requirements to Respond to Requests
The primary procedural requirement for responding to requests to restrict sensitive personal information and to opt out is to conspicuously post the link to a webpage where the individual can exercise these rights on the employer’s homepage. In contrast to the rights to know, correct, and delete, the CPRA does not require the business to verify the identity of an individual requesting to exercise the opt-out and restriction rights. The CPRA also does not set a deadline to reply to requests to restrict sensitive personal information or to opt out. This is another issue that the regulations may address. For example, the California Consumer Privacy Act regulations imposed a deadline of 15 business days to respond to requests to opt out of sales.15
Practical Steps to Prepare
Employers should first ascertain whether any of their data handling could qualify as a sale, sharing, or “inferring characteristics” from sensitive personal information. If so, the employer must decide whether to comply with the opt-out or restrictions requirements of the CPRA or take steps to cease any further sales, sharing, or inferring characteristics. This will require weighing the technical and administrative burdens of compliance against the benefits of continuing to sell, share, or infer characteristics from sensitive personal information.
If the employer decides not to comply with the CPRA’s opt-out and restriction requirements for HR data, it should take steps not only to avoid, but also to reduce the risk that its activities might be characterized as, sales, sharing, or inferring characteristics from sensitive personal information. This should include close scrutiny of any transfers of personal information, provisions in vendor agreements, internal policies, and training.
For companies that decide to comply with the CPRA’s opt-out and restriction requirements for HR data, the company should identify and map all sales, sharing, and uses and disclosures of sensitive personal information for the purpose of inferring characteristics. The employer must revise its CPRA privacy policy to describe the sales, sharing, and uses of sensitive personal information, as well as how HR Individuals can exercise their rights. The employer also must offer an online link to exercise the rights to opt out and restrict sensitive personal information. Internally, the employer should implement policies, a compliance structure, and training to support its compliance with these rights.
See Footnotes
1 See California Privacy Rights Act of 2020, 2020 Cal. Legis. Serv. Proposition 24 (codified at Cal. Civ. Code §§ 1798.100 et seq.)
2 Zoe Argento, California Privacy Rights Act for Employers: The Rights to Know, Delete, and Correct, Littler Insight (Aug. 16, 2021).
3 Cal. Civ. Code § 1798.140(ad)(1).
4 Id. at §§ 1798.140(ai)(2) - 140(ai)(3).
5 Id. at §§ 1798.140(j)(1), 1798.140(ag)(1).
6 See Jara v. Suprema Meats, Inc., 121 Cal. App. 4th 1238, 1248 (2004) (recognizing that the California Supreme Court has “authoritatively adopted the concept of consideration as a bargained-for exchange”).
7 Cal. Civ. Code § 1798.140(ah)(1).
8 Id. at § 1798.140(ae).
9 Id. at § 1798.121(d).
10 Id. at § 1798.135.
11 Id. at § 1798.121(a).
12 Id. at § 1798.135.
13 Id. at § 1798.100(d).
14 Id. at § 1798.121(c), 135(f).
15 Cal. Code Regs. tit. 11 § 999.315(f).