After months of uncertainty, the rulemaking process for the California Privacy Rights Act (CPRA), the first-ever comprehensive U.S. data privacy law applicable to human resources data (“HR Data”), concluded on March 29, 2023.  For virtually all employers with employees in California (“California Employers”),¹ this moment was critical.  Ambiguities plaguing the CPRA itself and uncertainty over the regulatory requirements had made it impossible to implement a CPRA compliance program without risking the need for subsequent modifications to address key rules changes.  With that risk now eliminated, California Employers can put the finishing touches on required notices and policies, distribute them, and take the other steps necessary to implement their compliance program.

California Employers are now at this critical juncture because the CPRA extended the application of California data privacy law to HR Data.  Under prior law, the California Consumer Privacy Act (CCPA), HR Data was excluded except that California Employers were required to provide California residents who are employees; their spouse, dependents, other beneficiaries, and emergency contacts; independent contractors; job applicants; and board members (collectively, “HR Individuals”) with a brief “notice at collection.”  Once the CPRA, which amends and supersedes the CCPA, went into effect on January 1, 2023, this near-total exemption for HR Data was eliminated.  As a result, California Employers are now required to put in place the same type of comprehensive data privacy compliance program that the CCPA required only for consumer data.  This program must include, for example, posting an “online privacy policy” for HR Individuals (in addition to providing the notice at collection), ensuring that contracts with service providers contain statutorily mandated language, and establishing procedures so that HR Individuals can exercise their new data rights.²

Fortunately for California Employers, the CPRA established a six-month grace period on administrative enforcement through June 30, 2023.  Any administrative enforcement after that date must be prospective only.  Moreover, the CPRA does not allow for a private right of action.  Consequently, California Employers can now put their compliance efforts into high gear without fear of litigation.  But doing so will require an understanding of how the finalized regulations vary from the CPRA’s plain language. 

This Insight will explain the most important variations in notice requirements, individual data rights, vendor contracting, and other key areas.  We also discuss at the end some notable omissions in the regulations. For better or for worse, the CPRA regulations may address these gaps eventually.  Even before the initial rulemaking process ended, the California Privacy Protection Agency, which administers and enforces the CPRA, commenced a second rulemaking process. 

Implications of the Final Regulations for the Notice at Collection and Privacy Policy

Combining the Notice at Collection and Privacy Policy

In our previous articles, we explained the requirements of the notice at collection and privacy policy and noted that, given the overlapping disclosure requirements, many California Employers may wish to combine the notice at collection and privacy policy into one document, particularly if the company’s prospective and retrospective handling of personal information is largely the same. The final CPRA regulations confirm that combining the two notices is permissible so long as the individual is directed to the specific section of the privacy policy that includes the information that must be included in the notice at collection.³

To the extent the California Employer distributes a standalone notice at collection, the final regulations require that the notice at collection include a link to the business’s privacy policy.⁴  In other words, if a California Employer distributes a notice at collection for a specific or discrete activity, the notice will also need to include a link to the California Employer’s privacy policy covering the core HR relationship.

Requirements for Disclosures for a “Business Purpose”

The final CPRA regulations depart from the statute with respect to the requirements for disclosures of personal information to external recipients. Specifically, whereas the statute requires disclosure of the categories of third parties to whom personal information is disclosed for any purpose, the CPRA regulations require such disclosures made only for a “business purpose.”⁵ The statute limits “business purposes,” by definition, to a narrow set of eight purposes, most of which are not relevant in the HR context.  These include auditing, helping to ensure security and integrity, debugging, and performing services on behalf of the business.⁶

The final regulations require that that privacy policy identify the categories of personal information that the business has disclosed for a “business purpose” and, for each category of personal information disclosed for a “business purpose,” the category of third parties to whom the information is disclosed. Further, the regulations add the requirement that the privacy policy must describe the specific “business or commercial purpose” for the disclosure.⁷   

In practice, given the narrow definition of “business purpose,” California Employers disclose personal information of HR Individuals for a “business purpose” in very limited circumstances, making the regulations somewhat at odds with the CPRA’s objective of helping California residents to understand more fully how their information is being used and for what purposes. For example, California Employers disclose personal information to third parties for a variety of purposes other than for a business or commercial purposes as defined by the CPRA such as, to administer the employment or work relationship, manage employee performance, and ensure compliance with company policies. 

The final regulations also mandate similar disclosures if a business “sells” or “shares” personal information.⁸  However, as we discussed in prior articles, California Employers rarely sell or share personal information of HR Individuals, as those terms are defined under the CPRA.

Additional Requirements

The final regulations also require that businesses include the following additional information points in the privacy policy, which are not specifically stated in the statute: 

Individuals Under 16 Years of Age:

The final regulations add the requirement that the privacy policy must include a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age.⁹  However, as a practical matter, if the privacy policy states that the California Employer does not sell or share personal information, this would necessarily include individuals under the age of 16 and therefore including such a statement is probably superfluous. Moreover, very few employers employ individuals under 16 years of age.

Opt-out Preference:

The privacy policy must provide information on how an individual can implement opt-out preference signals if the business processes opt-out signals in a frictionless manner, as well as an explanation of how opt-out preference signals will be processed.¹⁰  Opt-out preference signals refer to settings that individuals might configure on their browsers to signal to websites that they do not want their personal information sold or shared.  At the moment, the most prominent of these is the Global Privacy Control.¹¹ As noted previously, opt-out preference signals will rarely apply in the employment context because employers generally do not “sell” or “share” personal information of HR Individuals.

Authorized Agents: 

The statute specifically imparts the right for individuals to have an authorized agent exercise CPRA rights on their behalf but provides no details about the manner in which an authorized agent can make such a request.  The final regulations address this gap by requiring that the business’s privacy policy include instructions on how an authorized agent can make a request under the CPRA,¹² which can include requiring the authorized agent to provide either signed permission demonstrating that they have been authorized by the HR Individual to act on their behalf or a valid power of attorney pursuant to California Probate Code sections 4121 to 4130.¹³

General Description of Verification Process:

While the statute specifies that the privacy policy must include a description of HR Individual’s rights under the CPRA and how to exercise those rights, the regulations also add the requirement that the privacy policy include a general description of how the business will verify the individual’s request.¹⁴  In effect, the privacy policy should generally explain that the California Employer will match identifying information provided by the HR Individual to the personal information of the HR Individual already maintained by the California Employer, taking into account the type of request as well as the type, risk, and value of the personal information involved.¹⁵

Miscellaneous:

The regulations also specifically require that the privacy policy include a contact for questions or concerns about the business’s privacy policies and the date the privacy policy was last updated.¹⁶

The CPRA Regulations’ New Vendor Contracting Requirement

The CPRA lists nearly one dozen clauses that California Employers must include in their agreements with vendors that handle California Employees’ personal information.  Starting in late 2022, in advance of the January 1, 2023 effective date, many service providers, especially the larger HR service providers, began sending their CPRA addendum to California Employers and took the position that absent objection, their CPRA addendum would become part of the master service agreement.  Some service providers did not even offer the opportunity to object.  Many California Employers took a similar approach, sending an effectively “take-it-or-leave-it” CPRA addendum to their service providers.

There is good news for California Employers that already have addressed the CPRA’s vendor contracting requirement.  The finalized CPRA regulations, for the most part, parrot the CPRA’s list of contracting requirements. The regulations add to the list only two requirements related to purposes of use.¹⁷ First, the vendor agreement must now identify the specific “business purpose(s),” as that term is defined by the CPRA, for which the vendor is permitted to handle personal information.  Second, the agreement must state that the personal information is being disclosed to the vendor only for the specified business purpose(s).  The regulations expressly prohibit describing the business purposes by generally referencing the underlying service agreement.

As noted above in the section on privacy notices, the CPRA’s eight “business purposes” generally do not apply to the HR context.  However, this list includes “[p]erforming services on behalf of the business” as a business purpose.  California Employers most likely will be required to rely on this business purpose in most circumstances as only two others — (a) “auditing compliance with this specification and other standards”; and (b) “[h]elping to ensure security and integrity” — potentially could to be applicable and then only in limited circumstances.¹⁸  Consequently, this new regulatory requirement which, on its face, calls for an onerous contract-by-contract analysis, as a practical matter should be relatively easy for California Employers to address.

Implications of the CPRA Regulations for Data Rights

With respect the CPRA’s data rights, the final regulations are a mixed bag for California Employers.  The regulations eased a few significant burdens, added many new requirements, and clarified several issues. 

As a brief refresher on the CPRA’s data rights, the CPRA grants California residents three data rights particularly relevant to HR Data, in essence:

1. The right to delete personal information collected from the California resident;
2. The right to correct inaccurate personal information; and
3. The right to know, which encompasses (a) the right to a disclosure about how the business collects, uses, and discloses the requestor’s personal information and (b) the right to the specific pieces of personal information obtained from the California resident.¹⁹

In addition, the CPRA provides three other data rights that are generally of less relevance to employers:

4. The right to opt out of sales of personal information;
5. The right to opt out of “sharing” of personal information, where “sharing” is defined as the disclosure of personal information to third parties for cross-context behavioral advertising; and
6. The right to limit the use and disclosure of sensitive personal information.²⁰

The CPRA subjects each right to numerous, nuanced limitations and grounds for rejection. 

Significant Additional Requirements in the Regulations

New Notification and Disclosure Requirements:

First, the regulations add new notification and disclosure requirements to the process of responding to data rights requests.  We discuss several examples of these requirements below, but the full list of new disclosures is lengthy.  To reduce the risk of inadvertently omitting one of these required disclosures or explanations, California Employers might consider implementing a set of standard forms containing this verbiage for communicating with individuals about their requests.

The most substantial new disclosure requirement in the regulations obliges the business to explain the basis for denial when rejecting a right to know, delete, or correct.²¹ The statute itself is silent on how to reject a request.  Furthermore, in several circumstances, the regulations require a “detailed explanation” of the reasoning behind the rejection.  For example, if the California Employer refuses to provide information in response to a request to know beyond the 12-month lookback period, the regulations require the employer to provide “a detailed explanation that includes enough facts to give [an individual] a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period.”²²

The regulations also add a significant new timed notice requirement.  The statute just requires that businesses respond to requests to know, correct, and delete within 45 days of receiving the request, with an option to extend the response period with notice and if “reasonably necessary.”²³  The regulations also require that the company confirm receipt of a request to know, delete, or correct within 10 business days of receiving the request.²⁴ This confirmatory notice must “provide information about how the business will process the request,” including “the business’s verification process and when the [individual] should expect a response.”²⁵

The final rules include several other minor additional notifications. For example, in response to a request to delete, the business must explain that it will retain a record of the deletion request even though it otherwise deleted the personal information at issue.²⁶ 

New Substantive Requirements:

Second, the regulations create several new substantive requirements.  California Employers will have a continuing obligation regarding the accuracy of personal information amended in response to a request to correct.  Although the regulations stop short of imposing an obligation to ensure the accuracy of the information, whether the business has “implemented measures” to keep such personal information accurate “factors into” whether the business has “adequately complied with a … request to correct.”²⁷

Upon request, the business also must disclose the specific pieces of personal information that were the subject of the individual’s correction request to confirm that the business has corrected the inaccurate information.²⁸  The individual can request this disclosure even if the individual has already exhausted their right to submit up to two requests for specific pieces of personal information within 12 months.²⁹ 

Of relevance to companies that sell or share personal information, the regulations craft a new requirement for all such companies to comply with opt-out preference signals.³⁰  Even if the business provides links on its website that California residents can use to opt out of sales and sharing, the regulations still require the business to abide by opt-out preference signals.³¹

Rules about opting out of sales and sharing might not appear germane to HR Data, but California Employers should take note that the California Attorney General has signaled that he interprets the definition of “sale” very broadly.  In particular, some website cookies that make website visitor information available to third parties for analytics and advertising potentially could be construed as selling or sharing personal information.  Of relevance to California Employers, applicant web pages may use cookies that disclose data about applicants to third parties.  HR and legal departments should work with their website managers to consider these issues.

Key Clarifications Provided by the Regulations

The final rule-making provided welcome clarification in three areas of data rights: the right to limit the use and disclosure of sensitive personal information; “disproportionate effort”; and how to determine whether personal information should be corrected. 

Right to Limit the Use and Disclosure of Sensitive Personal Information:

The statute permits California residents to instruct a business to restrict the use and disclosure of sensitive personal information to narrow purposes such as security and quality controls. Sensitive personal information includes Social Security numbers, race, religion, precise geolocation, and the contents of an individual’s mail, email, and text messages unless the business is the intended recipient of the communication, among other items.³²  However, the statute added the key caveat that this right does not apply unless the sensitive personal information at issue is collected or processed with the purpose of inferring characteristics about the individual.³³

An early draft of the regulations had omitted this limitation, raising concerns that the regulations would conflict with the statute and throw into confusion how California Employers should comply. However, the final regulations clarify that sensitive personal information “that is collected or processed without the purpose of inferring characteristics about [California resident] is not subject to requests to limit.”³⁴  As discussed in our previous article on this subject,³⁵ although employers collect substantial amounts of sensitive personal information, they typically do not use it to infer characteristics about an individual.  As a result, the right to limit sensitive personal information generally will not apply to HR Data.

Disproportionate Effort:

At several points, the statute limits the business’s obligation to comply with data rights requests when the effort required from the business would be “disproportionate.”³⁶ Crucially, a California resident may request that a business disclose personal information in response to a request to know beyond the 12-month lookback period, “unless doing so proves impossible or would involve a disproportionate effort.”³⁷  Although the regulations do not set clear limits on “disproportionate effort,” they provide a test.  In essence, the business must balance the burden on the business against the impact on the requesting individual.  Of help to smaller companies, the regulations explicitly permit the business to take the size of the business into account when weighing this test.

Right to Correction:

The regulations also provide a test for businesses to determine whether personal information must be corrected in response to a request to correct.  The California Employer may deny the request if it determines that the contested personal information is “more likely than not accurate based on the totality of the circumstances.”³⁸  Businesses must consider a non-exhaustive list of factors, including:

• The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive, etc.);
• How the business obtained the contested information; and
• Documentation relating to the accuracy of the information.³⁹ 

California Employers may find the lack of clear-cut rules in the disproportionate effort and correction tests frustrating, but the tests do give employers leeway to adjust the decision-making process to their own circumstances.  Also, they offer California Employers a defensible process for making decisions in these areas. 

Data Rights Burdens Eased by the Regulations

The regulations lightened the load of complying with data rights requests in three key ways.  Of most importance to California Employers, the final rule-making retained the exception to the right to know for relatively inaccessible personal information.  Under section 7024(c), an employer need not comply with, or even search for personal information in response to, a request to know if the employer:

• does not maintain the personal information in a searchable or reasonably accessible format;
• maintains the personal information solely for legal or compliance purposes;
• does not sell the personal information and does not use it for any commercial purpose; and
• describes to the individual the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

This exception potentially exempts large swathes of unstructured data that California Employers retain for compliance purposes, such as emails, instant messages, and PDFs. 

The regulations limit the right to know in another significant manner by prohibiting California Employers from producing certain highly sensitive personal information in response to a request for specific pieces of personal information.⁴⁰  Apparently due to security concerns, the final rules do not allow California Employers to disclose items including Social Security numbers, login credentials, and health insurance numbers.  This reduces a major risk for California Employers, who could be faulted for disclosing this information in response to a spoofed request or through some form of insecure means.  Although businesses must verify the identity of the requesting individual, inevitably some bad actors may infiltrate the authentication process. 

The final rules eased the burden on responding to requests to delete and correct too.  California Employers need not delete or correct personal information on archived or back-up systems within the 45-day deadline.⁴¹ Instead they can delete or correct the data when it is next accessed, used, or restored to an active system.  Moreover, as an alternative to deleting personal information, the regulations explicitly allow companies to deidentify or aggregate the information.⁴²

Clarification of Purpose and Proportionality Requirements

Finally, the CPRA regulations attempt to elucidate the rather vague requirements in the statute regarding purpose limitation and proportionality for using personal information.  Specifically, the statute states:

A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.⁴³

The regulations appear to interpret “reasonably necessary and proportionate” to mean, in part, that the collection and use of personal information must “be consistent with the reasonable expectations” of the individual.⁴⁴  In effect, the regulations create a new requirement out of whole cloth; this “reasonable expectations” criterion appears nowhere in the statute. 

To clarify the new term, the CPRA regulations create a multifactor test. California Employers have to consider factors including the following to assess the HR Individuals’ “reasonable expectations”: the nature of the relationship with the HR Individual (e.g., an employee is unlikely to expect that employee data will be used for advertising the business’s products); the type, nature, and amount of HR Data that the business seeks to collect or process (for example, the purposes for which an employee would expect the business to use the contact information of their spouse); and the specificity and explicitness of disclosures made to the HR Individual about the purpose for collecting or processing their personal information (i.e., the statements made by the business within the notice at collection). 

Once HR Data has been collected, California Employers must ensure the personal information is processed only for the purpose for which it was collected—specifically, the purpose(s) stated within the notice at collection—or another purpose disclosed within the notice that is compatible with the context in which the HR Data was collected.  The final regulations define a compatible purpose as one that satisfies the “reasonable expectations” balancing test discussed above, and that has a sufficient nexus to the original purpose for which the HR Data was collected.

Significantly, if a California Employer cannot identify a purpose for using collected HR Data that is compatible with a purpose identified within the notice at collection, then the employer must obtain the HR Individual’s consent before using their HR Data for what amounts to a new purpose.  Moreover, the collection of new categories of HR Data requires the distribution of a new notice at collection.

Finally, California Employers must be mindful when collecting HR Data—including new categories of personal information collected with consent—that the collection should be limited to the “minimum necessary” to achieve the purpose for collection. 

From a practical standpoint, the purpose limitation within the CPRA regulations puts the onus on California Employers to consider two points:

1. when finalizing the notice at collection, California Employers must ensure that they consider all of the purposes for which HR Data may be used, to permit the business to use personal information for both identified and “compatible” purposes; and
2. when new technology or systems are introduced into the workplace to process or store HR Data, California Employers should have a workflow process in place to assess whether the System’s use of the personal information falls within the purview of a purpose identified within the notice at collection.

Notable Omissions in the Final Regulations

While the CPRA regulations span over 65 pages, they fail to address several issues critical to California Employers.  The following are among the most conspicuous omissions:

Responding to Requests for Specific Pieces of Personal Information: 

As we discussed in our article on The Rights to Know, Delete and Correct, responding to a request for “specific pieces of personal information” is anything but straightforward, in large part because the final regulations do not provide guidance on what constitutes “specific pieces of personal information.”  In fact, the regulations are vague to the point of being confusing on the scope of information that California Employers are required to produce in response to these requests.  If faced with a request for “specific pieces of personal information,” California Employers should ensure they review the various exemptions set out within the CPRA before responding to the request.

The Scope of Sensitive Personal Information: 

As we discussed in our article, The New Notice at Collection, the obligations attached to “sensitive personal information”⁴⁵ apply only if the information is used for the purpose of “inferring characteristics” about a California Individual.  Despite the confusing nature of this requirement, the final regulations do not expound on what it means to “infer characteristics” from sensitive personal information.  As a result, California Employers are left to decide, based on the plain meaning of the phrase, whether they infer characteristics from the sensitive personal information they collect.

Requisite Level of Specificity for Retention Periods:

Finally, although the CPRA requires California Employers state within their notice at collection the “length of time the business intends to retain each category of personal information … or if that is not possible, the criteria used to determine that period” the final regulations are silent on how detailed the outlined retention period, or any criteria provided, must be.  Again, California Employers must determine a reasonable means by which to satisfy this compliance obligation in the absence of clear guidance. 

Conclusion

California Employers still have a few weeks before California authorities can start enforcing the CPRA on July 1, 2023.  If the California authorities follow an enforcement strategy similar to their approach to the CCPA, the CPRA’s predecessor law, they may just issue warnings and guidance for a year or so before pursuing fines and penalties.  Nevertheless, California Employers should take advantage of the remaining window to finalize and post their privacy notices, execute their remaining vendor agreements, and ensure that their policies and procedures support their compliance with this demanding new law.