Listen to this post

The New Year usually means new laws for California employers.  This year, a new privacy law goes into effect with new mandates for employers to ensure that workers have more control over the collection and use of their personal information.

Come January 1, 2023, companies that employ California residents need to make sure they have taken the required steps to comply with the California Privacy Rights Act (“CPRA”), which amends the landmark California Consumer Privacy Act (“CCPA”) by expanding its protections to employees, job applicants, and independent contractors.

Workers will soon have the same rights as any consumer under the CCPA, including:

  • The right to know what personal information employers have collected, sold or shared with third parties such as advertisers;
  • The right to correct inaccurate personal information and require employers to delete personal information, unless otherwise required by law; and
  • The right to opt-out of the sale or sharing of their personal information and restrict the use of and disclosure of sensitive information.

Employers must confirm receipt of a worker’s request to know or delete within ten business days and must provide a substantive response within 45 calendar days.  Employers also must stop selling a worker’s personal information within 15 business days after receiving a request to opt-out of the sale of personal information.

In addition, the CPRA also requires businesses to provide an accessible privacy policy or a California-specific addendum to any existing policy. The policy should include:

  • Workers’ privacy rights under the CPRA;
  • The categories of workers’ personal information that an employer collects;
  • The reason employers are collecting, selling, or sharing personal information; and
  • Information about any third parties to which the employer discloses personal information.

Other requirements include separate training and recordkeeping mandates. Also, employers must provide notice to workers when employers collect personal information, including notifying workers about the reason it is collecting the personal information and whether the information is shared or sold and how long the information is kept. Finally, employers should continue to monitor the ever-changing landscape of privacy laws as new regulations and additional laws are anticipated in 2023 that will also impact employers. As noted in a prior blog post, one potential new law on the horizon is Assembly Bill 1651 or the Workplace Technology Accountability Act, which seeks to build on the CCPA and the CPRA by expanding the categories of protected data to include “human resources information” such as a personnel file or performance evaluation. The bill would also limit an employer’s ability to electronically monitor workers, including an employer’s ability to track the websites an employee visits and when an employee is away from his or her computer.