In 2020, California voters chose to pass Proposition 24, the California Privacy Rights Act (CPRA). As of January 1st, 2023, it has officially gone into effect. This bill is an expansion of the California Consumer Privacy Act (CCPA) intended to provide consumers and workers with greater privacy rights.
Before 2023, employers had relatively few obligations toward their employees’ data privacy. Employees did not have the right to request what data has been collected by their employer or prevent it from being used or sold. However, with the CPRA going into effect, employers must now treat all human resources information and similar data shared with or from other businesses with the same care as consumer data.
This is excellent news for workers. Covered businesses now need to take extra precautions regarding your personal information and protect you from risks like data breaches and identity theft. Here’s what you should know about the CPRA’s impact on your rights to data privacy and what you can do if your employer violates them.
New Privacy Rights Guaranteed for Employees
The CPRA grants employees, job applicants, and contractors the same rights given to consumers under the CCPA. These six rights are:
- The right to know what information your employer has collected about you and how it is used or shared
- The right to opt out of having your information sold or shared with other parties
- The right to limit the use or disclosure of your sensitive personal information to necessary business tasks
- The right to request that data not directly related to your employment is deleted
- The right to correct collected data that is inaccurate
- The right not to face discrimination or retaliation for exercising any of the above rights
In short, your employer must tell you what information it collects about you, why it’s needed, and who has access. In addition, you can block your employer from collecting or sharing most information and request that it be corrected or deleted entirely.
Privacy Requirements for Employers
Applying the CCPA to employers was controversial because of the new requirements it imposes on them. That’s why the initial CCPA specifically stated that employees were temporarily exempt from the rights guaranteed to the average consumer. This exemption was intended to allow employers to prepare for the demands of the CCPA.
However, now all covered organizations must follow the law’s requirements. An employer must follow these restrictions if it:
- Achieves $25 million in gross revenue annually
- Makes 50% or more of its income from selling or sharing consumers’ personal information
- Buys, sells, or shares the personal information of 100,000 or more consumers, households, or devices
All employers subject to the CCPA and CPRA must ensure they can honor the rights listed above. This includes setting up processes to track, correct, and delete employee information and prevent it from being collected upon request. In addition, employers must be able to provide information about the following:
- What employee information they collect
- What types of sources they gather information from
- The commercial purpose for gathering this information
- The types of third parties with whom each kind of data is shared
This allows workers to understand how their data is used and make informed choices about whether to opt-out, request deletions, or limit its use.
Benefits of the CPRA
The primary benefits of the CPRA are obvious: you regain control over your personal information. If you work for a covered employer, you have the right to minimize the data it collects and keep your private life separate from work.
Furthermore, the bill increases transparency by requiring organizations to track and report how employee data is used and stored. Employers can no longer use their workers’ information for financial gain or potential discrimination without their knowledge.
This is partly why the rights enshrined in the CPRA are closely modeled after the European Union (EU) General Data Protect Regulation of 2016 (GDPR). Countries subject to the GDPR have discovered that many employers will collect employee information irrelevant to their employment and use it in discriminatory ways.
For example, in 2020, the clothing retailer H&M was found to be keeping records about employee relationships, religious affiliations, and health, and using this information to make employment decisions. This is just as illegal in the EU as in the US. H&M faced a $37.7 million fine and compensated employees for the violation.
If this type of blatant privacy violation and discrimination happens in the EU, it is not unlikely that it is also happening in the US. The CPRA may not only help protect your control over your data, but it could also protect you from discrimination.
What to Do If Your Employer Violates Your Data Privacy Rights
You have the right to data privacy under the CPRA. If your employer violates your rights, you may be able to take action.
In most cases, the California Attorney General is responsible for identifying whether an organization violates the CCPA and CPRA and suing non-compliant businesses. However, in certain circumstances, you can act directly. If your unencrypted personal data is stolen from your employer, you can file a lawsuit in pursuit of compensation for the losses you suffer. Furthermore, if you discover your employer is using your data in discriminatory ways, you can also file workplace discrimination claims.
This is where Le Clerc & Le Clerc LLP is proud to help. We are dedicated to protecting the rights of workers in California. We are available to help you take a stand against unjust violations of your privacy and discrimination in the workplace. Learn more about how our expert attorneys can defend your rights by scheduling a free consultation today.