Going into effect January 1, 2023, the California Privacy Rights Act (CPRA) covers companies that:
The CPRA introduces a number of concepts not enumerated in the CCPA:
- Data collection and use should be “reasonable and proportionate.”
- Consent for the collection and use of that data must be obtained
- Enhanced notices on your privacy pages and at points of collection must be provided
- Assessments for risky behavior and for sharing data with third parties and service providers are required
- Contracts with third parties and service providers must obligate them to upholding CPRA when processing data
Importantly, the CPRA has expanded consumer rights including correction, opt-out of automated decision-making, access to information about automated decision-making, and restricting the use of sensitive personal information.
The big topic is that under CPRA is the expiry of the exemption for employee, HR, and business-to-business data. If you have employees or use contractors in California this will be important for you to know and understand.
To discuss the challenges with employee DSAR fulfillment and what to do to get prepared WireWheel’s CPO Rick Buck, and VP of privacy Sheridan Clemens delivered the presentation “California Employee DSAR Requests: What you need to know.”
Which employee and B2B data are covered under CPRA?
Beginning January 1, 2023, data rights will encompass consumers, employees (inclusive of job applicants) and B2B data which includes subcontractors and independent contractors– their owners, directors, and officers – in the context of employment or job applications.
What’s interesting is that prior to CCPA and CPRA, the State of California already had a series of employment rights for HR Data – e.g., payroll records, employment agreements, and personnel files – providing the right to access, correct, and to not to be discriminated against.
CPRA is calling out specific rights now that employees have in California. They too now will have the right to opt out of automated decision making; be informed about the data being used to make automated decisions; and the right to restrict the use of sensitive personal information.
What used to apply only to the consumer, now includes your workforce.
One issue that requires more clarity is the treatment of a California business’ remote workers located outside of California. A reasonable assumption is that the CPRA applies. “The CPRA applies to anybody that is doing business in California,” opines Buck. “You are a workforce member, you have a B2B relationship…that you are an employee based in California. But I don’t know if it precedent has been formally set.” 
WireWheel’s Clemens notes that the employee does need to be a California resident (the CPRA is written for California residents), so if the remote worker is not a California resident CPRA would not apply. Conversely, if an employee works in California, but the company headquarters is in a different state, the CPRA does apply if the business is a covered entity.
That said, “many companies are weighing whether they will offer it to all of their employees as a way to keep the playing field level and avoid any issues.”
Some rights might not be relevant
Some of the rights in CPRA may not apply in an employment context, notes Buck.
“The right to opt out of sale/sharing in particular, might not be applicable as employers typically don’t sell employee data. They don’t track employees for targeted advertising.
Furthermore, “the right to limit the use of some of sensitive personal information likely also doesn’t apply in this context. Sensitive PI that’s collected is typically only used for human resources purposes such as either work related, payroll, or potentially health related information.”
There’s going to need to be some clarity about whether or not this data is in scope. The answer to that question is going to influence the way in which you as employers are going to respond to your access request.
Challenges Fulfilling employee v consumer DSARs
The first big challenge is that employee data tends to live in different places than consumer data. Companies are going to have to be working with different departments and systems for DSAR requests. And this is going to require a lot of training.
Managing employee DSARs will require new processes and workflows, and this work, if not already begun, should start now. It’s not an easy uplift.
In the context of employee data, information outside the scope of CPRA may be exposed. “There’s a lot of data collected about employees, and you’re sorting through things like email and word documents that may contain another employee’s data, or protected information like trade secrets and other confidential or proprietary information,” advises Clemens. Redactions may be required.
In short, more scrutiny will be required, and this can take a lot of manpower.
We expect that the California privacy authority is going to recognize the need for balance. Perhaps some concessions that make it reasonable for business to comply without infringing the rights of the individuals. “I don’t think anything is set in stone here,” avers Clemens. “Be prepared to make some judgment calls.”
Conflict with California employment law is another big unknown. Will it supersede the California employment laws, or will California employment laws take precedence in the employee context?
What companies need to start doing today
- You have to inventory your data
While you may have done this for your consumer, when it comes to employees, there’s probably new systems and business processes in scope. You have to talk to HR and education is going to be vital as is understanding exactly what data is collected, where it is being stored, and how it is being used.
- Understand if you sell/share or process sensitive PI
Make sure you’re really clear about selling or sharing personal information. That you know where that data is going, and that you’re giving your employees the right to opt out where applicable.While there is data you need to fulfill an obligation, if you are using it for any other purposes (wellness or other incentive programs), you’ll need to provide your employees the opportunity to opt out.
- Update third-party contracts
CPRA requires data processing agreements for all service providers and contractors processing workforce personal information so be sure all service providers are prepared to support your DSAR requirements.
- Review and update privacy policies
Privacy updates are needed to comprehend personal information in the employment and B2B context: to delineate categories of personal information and sensitive PI collected and processed; purposes for the processing; the retention period by category of PI; a description of the rights available; and instructions on how to exercise those rights.
- Update your DSAR portal
Additional functionality and workflows are needed to process workforce subject rights. Considerations include securing the data, granting the right groups access to it, and generally, having DSAR workflow for employees built into the portal. Both the DSAR portal and your website require updating.
- Workflows for employee and B2B data
Additional functionality and workflows will need to be created to process workforce DSARs. As alluded to above, this will likely be the most significant undertaking in facilitating DSAR fulfillment.
There is a lot to consider given the sensitivity of employee data.
You may not want to share your employee data with your privacy team. HR may want to take the lead. In either case, you definitely want to have legal look it over before you send out your DSAR response.
With employee data, there’s a much higher concern that this information could be prelude to a complaint or lawsuit which will entail challenges around possible legal holds and other factors.
—Sheridan Clemens, WireWheel
Many companies are going to choose to have HR manage these requests. There’s quite a bit of sensitive data that will be exposed and it makes sense to have an HR professional involved in shepherding the process forward. That said, if your HR team is going to be involved in processing DSAR requests, they absolutely need to receive specialized training.
However, you choose to handle employee DSARs, you should have discussions with your legal team, privacy team, and HR team. Importantly, if you don’t have one, create an employee data classification policy and the governance roles around how that data is handled.
WireWheel has been a trusted partner in advancing data privacy capabilities with a full service offering to support these efforts. We have employee subject rights fulfillment as part of our DSAR package and routinely help businesses implement data inventory, mapping, and governance, managing privacy policies, PIAs, and high-risk processing impact assessments.
 WireWheel is not a law firm and does not provide legal advices. Any information or materials that WireWheel provides, including but not limited to presentations, documentation, forms, and assessments, are neither legal advice nor guaranteed to be accurate, complete or up to date.