What California businesses need to know about employee information

admin

[ad_1]

The California Privacy Rights Act (“CPRA”) will take effect on January 1, 2023 and will update and extend the privacy rights under the California Consumer Privacy Act (“CCPA”). Unless any further applicable extensions or amendments are passed, the CPRA supersedes the CCPA’s exemptions relating to employee information and requires businesses under the CPRA to comply with existing obligations regarding the processing of employee information.

What is the current status under the CCPA?

Currently, the CCPA provides certain exemptions to employers with respect to employment-related personal information, if the personal information is collected and used only from the individual as an employee or job applicant, dependent, beneficiary, independent contractor, or owner. Specifically, the CCPA does not extend certain consumer rights, including the right to access or delete personal information, to employees. However, the CCPA does not provide any exemptions for employment-related data, and employers are still required to adequately protect the personal data they collect and provide processing notice (at or before collecting the personal data). The concerned individual.

What are the new obligations and rights related to employee data under the CPRA?

(1) Employers must prepare and provide a privacy notice to an employee and/or job applicant at or before the collection of personal information.

  • This notice shall include: (a) the Categories Sensitive personal information(b) if it is sensitive personal information sold or shared and (c) the Length time The Employer intends to keep all sensitive personal information confidential.

  • If an employer authorizes the collection of personal information on behalf of a third party, the CPRA requires that the third party collector provide notice at the time of collection.

  • In addition to providing notice of the user’s rights, who and for what purpose the information is collected, sold, used or shared, the employer must include the categories of third parties identified by the employer. or permit the collection of the user’s personal information.

(2Unless relying on an exemption, employers must respect consumer requests, such as the right to erasure, knowledge, rectification, access, data portability, non-discrimination, use and disclosure of sensitive personal information, and the right to opt out of both the sale and sharing of personal information.

(3) Businesses must protect against unauthorized disclosure of personal information and provide employees with the right to use and disclose sensitive information.

(4) Finally, a business must enter into a Data Processing Agreement (“DPA”) with its vendors (i.e. any service providers, contractors or other third parties who may have access to the personal data). This requirement applies regardless of the types of personal data being processed (ie, work-related or otherwise). The DPA must include the following provisions:

  • identify Specific and certain Business purposes and services for which the Seller processes personal data as described in the Agreement.

  • Prohibit the collection, use or disclosure of personal information for any purpose other than those specified in the Agreement.

  • Prohibit the retention, use or disclosure of personal information received for purposes other than those described in the contract.

  • Prohibition of retaining, using or disclosing personal information outside of the direct relationship between the seller and the business And It prohibits the retention, use or disclosure of personal information other than for the business purposes described in the communication.

  • Require the vendors to comply with their applicable obligations under the CPRA and to provide the same privacy protections as required.

  • Obligation to notify the business if the seller fails to comply with its obligations under the CPRA.

  • Give the business the right to take reasonable and appropriate steps to ensure that the seller uses the personal data in a manner consistent with the business’s obligations under the CPRA.

  • Give the business the right to take reasonable and appropriate steps to stop and correct unauthorized use of personal data.

  • Notify the service provider or contractor of any consumer request made pursuant to the CCPA and require the business to provide the service provider or contractor with the necessary information to comply with the request.

In addition to the requirements listed above, note that a business must include the following provisions:

  • Prohibits the selling and sharing of personal information.

  • Notifying any sub-processors involved and requiring the sub-processors to be contractually bound to the same processing obligations.

Businesses are required to carry out due diligence reviews to ensure that their suppliers, such as audits, can process personal data in compliance with the CPRA.

What should employers do to prepare for the CPRA?

  • Understand the employment-related personal data your business processes by conducting a data inventory/data mapping exercise.

  • Understand the rights and exceptions available to California consumers and the requirements for your business under each consumer section under the CPRA.

  • Check that your business is providing employees etc. at the time or before the collection of personal information and ensure that this notice meets the requirements of the CPRA.

  • Ensure DPAs are in place with all suppliers, including those processing employment-related personal data.

  • Consider developing privacy impact and cybersecurity assessment programs to understand and address privacy and security compliance gaps.

© Polcinelli PC, Polcinelli LLP in CaliforniaNational Law Review, Volume XII, Number 242

[ad_2]

Source link

Related posts

Leave a Comment

fifteen − 11 =