Employees’ Rights Under the CPRA
The CPRA will provide employees, job applicants, contractors, and former employees with rights to request access to, correction of, or deletion of their personal information (subject to certain exceptions). Personal information is broadly defined to include information that identifies, relates to, or could reasonably be linked with a person or their household. And such individuals will be able to exercise their rights to opt-out of the “sale” or “sharing” of their personal information, as those terms are defined in the statute.
The right to request access to personal information provides personnel with the right to request explanations from businesses about how their employment-related personal information is collected and handled, as well as the right to request the “specific pieces of personal information” that businesses have collected about them. The California Privacy Protection Agency (CPPA) is tasked with defining “specific pieces of personal information” under its regulations, but it has not yet done so. However, it seems likely that the term will be interpreted to go well beyond the copies of personnel records that employees currently have the right to access under California Labor Code § 1198.5.
In anticipation of the new access right, which applies to information collected on or after January 1, 2022, employers subject to CPRA should begin taking inventory of their collection, use, and disclosure of human resources/personnel data.
Litigation Impact
One of the significant litigation risks of the CPRA’s expansion of employee rights is associated with the right to access “specific pieces of personal information” that employers collect. In particular, plaintiffs may leverage this right as a pre-litigation discovery tool to obtain a wide range of employment-related records. For instance, individuals may attempt to seek from their employers any document referencing themselves, including interview notes, performance evaluations, or internal investigation materials. If the CPPA adopts a broad interpretation of the CPRA’s reach, compliance would likely be quite costly and could expose businesses to heightened employment litigation risks.
A useful illustration of this risk can be found by looking across the Atlantic to see how businesses in the United Kingdom have been impacted by similar employee data rights, first established through the Data Protection Act of 1998, then expanded in the General Data Protection Regulation. Under both frameworks, U.K. residents have a right to obtain a copy of their personal data from employers through a Data Subject Access Request (DSAR). U.K. data subjects tactically used DSARs as a tool to obtain documents prior to litigation and/or as a form of accelerated disclosure ahead of court timelines. And in Dawson-Damer v. Taylor Wessing LLP, the English Court of Appeal held that companies must comply with DSARs even when the data subject’s real motive is to use the personal data to assist in litigation, as long as the DSAR did not require “disproportionate effort.”
Because California employees and candidates may use the CPRA’s right to access as a form of pre-litigation discovery, businesses subject to the CPRA should begin preparing for employee and candidate requests for information by doing the following:
- Taking inventory of the employment-related data they collect, including documentation of the sources of personal information and the entities to which the information is disclosed;
- Strategically assessing their data retention policies with the risk of disclosure in mind; and
- Assessing the extent to which certain records will be exempt from access requests, such as by being subject to the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), or other statutes subject to CPRA carve outs, or by being subject to other CPRA exemptions, such as being information that would adversely impact the rights of others if disclosed.
Moreover, employers should consider engaging with the CPPA when it takes up employment-related regulations to help shape the regulatory framework for employment-related data.
Authored by Tao Leung, James Denvil, Vassi Iliadis, and Jay Ettinger.
