CPRA, Data Incident Management, and What Your Company Needs to Know About Employee Data and the “Look Back” Provision
California’s new privacy law, the California Privacy Rights Act﹘CPRA for short﹘doesn’t go into effect until January 1, 2023, but its implications for the treatment of employee data and its confusing “look back” provision already have a lot of people talking.
CPRA isn’t a replacement of the existing California Privacy Protection Action (CPPA), but rather serves to define, modify, and extend the laws on the books. One significant extension is that the older law exempted employee data from many of the requirements applied to “consumer” data and personal information.
CPRA withdraws that exemption, and as of January 1, 2023, the definition of the term “consumer” will encompass employees as well, and employee data will be protected accordingly.
That means businesses that meet the size and operational thresholds must notify their employees of breaches of their personal information.
Further, employees will be allowed to request access to and correction of their information as held by their employers – and to “look back” at data collected at least as far back as January 1, 2022 – and further if applicable.
Take a deep dive into the types of information that individuals – including employees – have the right to access under CPRA.
So what does CPRA and its “look back” provision mean for your company?
CPRA gives California residents (consumers or employees) the right to access their personal information if it is being tracked, used, and shared (or sold) by companies of qualifying size.
Given that 12% of the US population lives in California, even if your company is based elsewhere, there’s a pretty good chance you might do business with (or employ) California residents or use data from another business that does.
Companies collecting data must have clear policies, architectures, and response measures in preparation for the very likely probability that they will be asked by individuals or enforcement bodies to “look back.”
How does CPRA impact data breach notification rules?
While the CPRA does not introduce or modify any existing breach notification obligations, it does align with the CCPA, which leverages the breach notification obligations under the California Civil Code. Companies must notify individuals if a data breach has occurred, and notify the California Attorney General’s office if the breach affects 500 or more California residents.
When looking at a company’s incident response, regulators have made clear that putting security measures in place only after a breach occurs will indicate that the company did not act in good faith.
Getting into compliance with CPRA can not be left to chance or manual effort after the fact. Now more than ever, digital transformation of your privacy and breach response management is called for to be ready for January 1, 2023 and the “look back.”
Bottom line – don’t wait for January 2023 to get into compliance. Any data you have collected since January 1, 2022 about customers or employees is already subject to the new rules (not to mention the existing CCPA notification requirements and regulations).
A strong cross-departmental privacy team structure is paramount. Appoint an inter-departmental team that includes HR and operations leadership in addition to your privacy compliance specialists to amend your privacy roadmap.
Employee data consent: a trend to watch out for
In addition to requiring that breach notifications be made to employees, and in addition to defining rights of employees to access, look back at, and correct data that a company maintains about them, California law also prevents employers from collecting data without employee consent.
New laws passed in Virginia and Colorado don’t offer that requirement of consent as a protection to employees. In general, Virginia and Colorado’s new privacy laws grant companies a wider berth in their data collection and monitoring activities, whereas California leans on the side of protecting individual Californians.
As more states consider and pass privacy legislation, privacy watchers will be paying attention to how employee data rights evolve under the law on a state-by-state basis.
Sign up for our data privacy updates to stay aware of new developments as they arise.
Disclaimer: While CPRA rulemaking is slated to begin in March, California legislators have introduced a number of privacy bills that we continue to monitor. Feb. 18 was the last day for individual legislators to introduce bills, and we saw a flurry of bills being proposed, including two proposals to extend the employee and business-to-business exemptions (AB 2871 and AB 2891).
Committees can still introduce bills where an entire committee is the author, and Aug. 25 is the last day to amend bills, but this rule can also be waived. Aug. 31 is the last day for each house to pass bills for the 2022 legislative session. We continue to monitor the legislative activity, as any of the current bills that were introduced could be vehicles for last-minute amendments and could turn into something completely different.