This article was submitted by Janell Stanton, attorney with Wagner, Falconer and Judd, Ltd. and The Compliance Center
In 2023, the California Privacy Rights Act (CPRA) will go into effect. Under the new law, human resource professionals must take specific actions to protect the data of applicants for new positions and current employees. Let’s touch on the new requirements under the law and what you should know.
New CPRA Requirements
Under the CPRA legislation, businesses must minimize using and retaining personal information to that which is absolutely necessary. For instance, your employee’s name, address, contact details, and Social Security number are all reasonable details to possess. However, their prior addresses or pet names probably are not.
Businesses must provide individuals with notice if they plan to collect or use sensitive information for specific purposes. Information can include any of the following:
- A passport or driver’s license number
- Financial details, such as a credit or debit card
- Geolocation of the individual
- Details about the person’s religion or ethnic origin
- Genetic information
- Biometric data
- Details about the person’s health or sexual orientation
Individuals will also receive the right to request a correction of incorrect information. For instance, if an applicant learns that an employer hasn’t properly saved their education information, they can request the employer to make an update.
Employees and candidates will also be able to opt out of data sharing with third parties. This particular point is central for organizations that use cloud-based HR services to store important employee information. The organization must have an appropriate workaround if employees request that the company not save their personal details in such services.
The CPRA expands the right of employees and candidates to request all personal information collected about them over the prior 12-month period. Employers must devise a way to easily retrieve personal data concerning employees and candidates if they request the information.
Under the CPRA, individuals can now sue businesses that expose their personal information, such as a username and password. Companies will need to be extremely careful with their employee’s data to ensure that a potential data breach doesn’t adversely impact workers and applicants.
California is the first state to adopt such a thorough and enhanced privacy law. However, we note that California tends to be one of the forerunners when it comes to employer-related legislation.
We can expect that other states will likely adopt similar legislation as data privacy becomes even more critical, given the ever-increasing rise of technology in all aspects of our lives.
HR and Data Privacy
Data privacy has become an increasingly hot topic as several massive data breaches have impacted consumer data over the past few years. Since HR departments commonly hold vital personal information, they’re at risk of a breach if they’re not careful about protecting employee details.
It’s critical to keep things as simple as possible when requesting employee and applicant information to minimize the impact of a possible breach. Only ask for what’s absolutely necessary for HR purposes.
Take a holistic look at the data you’re assembling, and cut out any frivolous information that isn’t mandatory from a governmental or benefits perspective.
January 1, 2023, employers must be ready for the CRPA to go into effect. They should be actively working with legal counsel to determine how to respond if an employee requests their stored data history or makes other inquiries in line with the CRPA legislation.
Get Help from The Compliance Center
If you’re concerned about adhering to the new CRPA legislation, The Compliance Center can assist you. Our partnership with The Compliance Center connects our clients directly with experts who can answer questions and offer HR expertise for your HR team. Connect with Chris Kelly to learn more.