California Privacy Rights Act For Employers: The Rights To Opt Out Of Sales And Sharing, Restrict Sensitive Personal Information, And Non-Discrimination

• Published date: 08 September 2021
• Subject Matter: Employment and HR, Privacy, Employee Rights/ Labour Relations, Data Protection, Privacy Protection
• Law Firm: Littler Mendelson
• Author: Ms Zoe Argento

This is the second in a series of articles about the implications of the California Privacy Rights Act for employers.

The California Privacy Rights Act ("CPRA"), which goes into effect on January 1, 2023, grants six new rights to California residents in their roles as employees, applicants, independent contractors, and other human resources members ("HR Individuals").¹ In our previous article in this series, we covered how the rights to know, correct, and delete personal information apply to employers.² This article covers the three other rights. Two of these are the right to opt out of the sale or sharing of personal information, and the right to restrict the use and disclosure of sensitive personal information, by the employer and employer's vendors. The last right is the right of HR Individuals not to be discriminated against for exercising these rights.

This article discusses how the definitional limitations, and exceptions to, these rights apply in the employment context. Additional key points are procedural requirements to respond to requests and the role of service providers to assist with compliance. The discussion ends with practical recommendations on preparing for these three data rights.

The analysis in this article is based on the CPRA's text only. The CPRA sets a deadline of July 1, 2022, for the publication of final regulations. Those regulations could result in modifications to this analysis.

The Scope of the Data Rights and Key Exceptions

The key to understanding the impact of the data rights on employers is to understand how the CPRA defines and limits each right. Due to definitional limits, the rights to opt out of the sales and sharing of personal information and to restrict sensitive personal information should not apply to many employers. If they do apply, however, the burdens are onerous.

Sales

In the right to opt out of sales, the crucial issue is what constitutes a "sale" of personal information. The CPRA defines "sale" as "communicating ... personal information ... to a third party for monetary or other valuable consideration."³ This might seem so broad as to encompass any sharing of personal information, but the definition contains two key limitations.

First, "sale" includes transfers to third parties only. The CPRA defines "third party" to exclude "service providers" and "contractors."⁴ This considerably narrows the scope of the transfers that might qualify as sales for employers. Although employers transfer HR data to many parties, they typically do so in the context of outsourcing HR functions to vendors. Therefore, employers can reduce the risk of transfers being deemed "sales" by ensuring that vendors meet the CPRA's definition for "service provider" or for "contractor."

These terms are defined quite similarly. Both are entities to which a business transfers personal information for a "business purpose" subject to a contract that includes specific provisions required by the CPRA.⁵ This puts the onus on employers to ensure that their vendors sign contracts (a) containing these provisions and (b) limiting the vendor's use of the...