(1) Obligations under the CPRA will go into effect on March 29, 2024. Enforcement of the California Privacy Rights Act (“CPRA”) is now stayed until March 29, 2024 (extended from July 1, 2023). The CPRA provides California consumers with rights and control over their personal information. Upcoming expansions to the CPRA will provide consumers (including employees) with even greater rights. Covered employers include those who:
- Have gross annual revenue of over $25 million;
- Buy, receive or sell the personal data of 100,000 or more CA residents or households; or
- Derive 50% or more of their annual revenue from selling or sharing California residents’ personal data.
The new entitlements for California employees of covered employers include the following:
- Notice of the type(s) of personal information that their employer collects, sells, shares, or discloses, as well as the right to request that the employer disclose what personal information it has collected about the employee;
- The right to correct the personal information that their employer maintains;
- The right to request that the employer delete the personal information that the employer has collected about them;
- The right to a copy of their personal information in a reasonable format; and
- The right to limit use and disclosure of sensitive personal information.
“Personal information” is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” “Sensitive personal information” includes anything that reveals an individual’s personal information, such as Social Security number, driver’s license number, state identification card, or passport number; “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”; “[a] consumer’s precise geolocation”; and “a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.” The CPRA requires more vigorous data privacy protections for sensitive personal information.
Exceptions available to the employer include:
- The employer’s right to deny a request for deletion to the extent that the relevant personal information is required to carry out the employment relationship (for example to process payroll) or the employer is required by law to maintain the information.
- The right to rectification is limited to certain personal information that can be verified.
What this means to a covered employer?
- Become clear on the personal information you are collecting and retaining, and which data is subject to CPRA requests.
- Continue to provide applicants and employees with notice of that information.
- Update privacy policies (including in handbooks and on websites that applicants and employees may visit for employment purposes, e.g., a careers portal or intranet).
- Become clear on where the personal information is retained (hard to share, delete or correct it if you don’t know where it is).
- Ensure data security protocols are compliant with evolving privacy laws and technological advances.
- Review and update records retention policies and update recordkeeping practices.
- Develop a plan to process CPRA requests and train employees and vendors who will be implementing and carrying out this plan.
- Review and update terms and conditions with service providers who handle data subject to the CPRA.
- Consider review of insurance policies to determine whether data breaches may be covered.
(2) Separation Agreements, Confidentiality and Non-Disparagement Clauses Came under New Scrutiny. This year the National Labor Relations Board (“NLRB”) ruled that confidentiality and non-disparagement agreements commonly included in employment severance agreements may be deemed unlawful under the National Labor Relations Act (“NLRA”) (McLaren Macomb). This development affects all employers and is not limited to unionized workplaces.
- Confidentiality: Clauses narrowly tailored to restrict the dissemination of proprietary or trade secret information are permissible, but to be lawful must be for a limited period and based on legitimate business justifications. Language requiring financial terms be kept confidential is permissible.
- Non-Disparagement: General bans are unlawful, but it is permissible to restrict employee statements that are “maliciously untrue, such that they are made with knowledge of their falsity or with reckless disregard for their truth or falsity.”
- Retroactivity. Agreements proffered to employees prior to the NLRB’s February 21, 2023 decision may be subject to challenge. (6-month statute of limitations).
