What California Employers Need To Do With The New California Privacy Rights Act

What California Employers Need to Do with the new California Privacy Rights Act

The California Privacy Rights Act (“CPRA”) will be enforced starting on January 1, 2023, and will expand privacy rights under the California Consumer Privacy Act (“CCPA”). The California Consumer Privacy Act [Prop 24 passed with California voters in November 2020] provides California employers some exemptions with respect to employment-related personal information, when that personal information is collected and only used in connection with the person’s role as an employee, applicant, dependent or spouse of an employee, beneficiary, independent contractor or owner.  The CPRA expands upon and amends the CCPA, which has led to it being known as CCPA 2.0. However, it was on the ballot officially as Prop 24.

It appears the CCPA does not extend certain consumer rights like the CPRA, including the right to access or delete personal information, to employees.  As reported in Law360.com, businesses subject to the CPRA will have to comply with obligations related to the processing of employee data.

What Kind of Data Breach Can I sue a Business for – OK Get Sued for under the CCPA?

You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:

  1. Your social security number
  2. Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
  3. Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
  4. Your medical or health insurance information
  5. Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)

This personal information must have been stolen in nonencrypted and nonredacted form.

CCPA Applies to Employers in California

 The CCPA does not provide a blanket exemption for employment-related data. Employers are still required to adequately safeguard the personal information they collect and provide a notice of processing at or prior to the point of collecting the personal information to the individual employee.  A practical example will be a Notice to Employees that we collect and maintain your pay and time data, health information, sick time and vacation data, as well as CaliforniaChoice and Cal-COBRA information, Banking information (for direct deposits) and retirement information for 401K plans, etc.

Employee data under the CPRA

Employers must prepare and provide a privacy notice to an employee and/or job applicant at or before the time personal information is collected.

This notice must include:

(1) the categories of sensitive personal information,

(2) whether that sensitive personal information is sold or shared, and

(3) the length of time the employer intends to retain each category of sensitive personal information.

If an employer allows a third party (such as Human Resources management software, PeopleSoft, Kronos, QuickbBooks, Microsoft [Think of Outlook collecting name, address, personal cell phone, and emails] or Clio) to collect personal information on its behalf, the CPRA requires that the third-party collector provides notice at collection.  Along with providing notice that includes the consumer’s rights, who is collecting the data, and how and for what purpose such data is being collected, sold, used, or shared, an employer must also include the categories of all third parties that the employer discloses consumer personal information to, or that the employer allows the collecting consumer personal information.

Unless they can rely on an exemption, employers must honor consumer requests, such as the right to delete, know of, correct, access or opt out of both the sale and sharing of personal information, and limit the use and disclosure of sensitive personal information. In addition, employers must ensure they meet the requirements for data portability and non-discrimination with regard to consumer requests.

Businesses are now being required to enter into a data processing agreement with their vendors, all of them including to agency [overload it seems] require service providers, contractors, or other third parties that may have access to its personal information. This requirement applies regardless of the types of personal information processed, employment-related or otherwise. The data processing agreement must also include the following provisions:

  1. Identify the limited and specific business purposes and services for which the vendor will process personal information as set forth within the contract.
  2. Prohibit retaining, using or disclosing the personal information for any purpose other than those specified in the contract.
  3. Prohibit retaining, using or disclosing the personal information received for any commercial purpose other than the business purposes specified in the contract.
  4. Prohibit retaining, using or disclosing the personal information outside of its direct relationship between the vendor and the business and prohibit retaining, using or disclosing the personal information for any purposes other than the business purposes specified in the contact.
  5. Require that the vendors will comply with the applicable obligations under the CPRA and provide the same level of privacy protection as required.
  6. Require that the vendor notify the business if the vendor can no longer comply with the obligations under the CPRA.
  7. Grant the business the right to take reasonable and appropriate steps to ensure that the vendor uses the personal information in a manner consistent with the business’s obligations under the CPRA.
  8. Grant the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
  9. Require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with, and provide the information necessary for the service provider or contractor to comply with the request.

In addition to the requirements listed above, a business must include the following provisions:

  1. prohibit the sale and sharing of personal information; and
  2. require notification of any contractors engaged, and mandate that the contractors be contractually bound to the same processing obligations.

Businesses must safeguard the personal information against unauthorized disclosures and provide employees with the right to limit the use and disclosure of sensitive information.

Businesses are also required to conduct due diligence assessments, such as audits, on their vendors to ensure that they can process personal information in compliance with the CPRA.

What should employers do to get ready for the CPRA

Businesses should begin to implement the below recommended actions ASAP. Right now, the California Office of the Attorney General will be up in your grill with violations, and next, God Forbid, a new agency is being created. Imagine your client, or worse, your office, being the poster child for a new agency looking to draw blood on some hapless company that forgot to notify QuickBooks (Intuit), Microsoft or the local Schools First Federal Credit Union of its new requirements! Ouch!

This new law creates a new dedicated privacy agency, the California Privacy Protection Agency, to handle enforcement. It will be governed by a five-member board appointed by the Governor (appointing the Chair and one other member), the Attorney General, the Senate Rules Committee and the Speaker of the Assembly. These appointees must have expertise in the areas of privacy, technology and consumer rights (with some restrictions to help ensure that they remain free from external influence).  How we measure “experience” and ensure they are “free from external influence” is still up for debate.

Board members cannot serve for more than eight (8) consecutive years and may be removed during that time by their appointing authority. For two (2) years after they leave the agency, they are also unable to work for any person or organization that currently has an issue before it or was subject to an enforcement action during the five-year period preceding the board member’s appointment.  That does not restrict them from doing consulting work or working directly for a company that has not yet been audited but maybe “on the radar” which to us, leaves room for abuse.

Headed by a board-appointed executive director, this agency will be partially funded by enforcement actions with any administrative fines assessed or settlement proceeds going directly into the Consumer Privacy Fund. It will also receive an annual $10,000,000 (adjusted annually) from the General Fund.  Your tax dollars at work.

Employers Must Learn and Manage their Data

Rather than yell at Junior sitting on the couch until 4 AM playing Call of Duty and Madden NFL 2023 4 AM you need to hire him as your new data consultant. If the terms Data wrangling (has nothing to do with cattle wrestling), Identity transform (has nothing to do with sex changes) and reusable transformation library, are all foreign to you, whip out your American Express Card as you and other businesses are going to have to pay to get complaint quickly. We never thought matching attributes (@*) and nodes would make its way into employment law.

To stay compliant with the CPRA, a business should know and understand what type of employment-related personal information it collects and processes. This can be accomplished by completing a data mapping exercise.  This is not like Geocaching or even mapping a trial hike in Big Bear, this is some advanced stuff!  See this Data Mapping explanation and a chart as an example, courtesy of Wikipedia..

In addition to data mapping [some vendors include – MantaTerraTrue and Clarip No I have not been paid] , companies should review and update existing privacy impact and cybersecurity assessment programs. This step alone will provide useful insight on the type of data a business collects and processes, which could help remediate any privacy and security compliance gaps.

Hire Lawyers and Consultants and Understand the CCPA and CPRA

 What was that last word of advice? Yes, hire lawyers and experts and vendors!  Oh my! Businesses must gain a clear understanding of the CPRA consumer rights and their interaction with the CCPA. As the CPRA consumer rights are broader than the CCPA, it should be easier for larger companies to comply. Some examples of the CPRA’s requirements which allow consumers to request that a business (including a law firm):

  1. Correct personal information that is inaccurate;
  2. Limit its use of their sensitive personal information;
  3. Allow access to information about automated decision-making; and
  4. Provide an option to opt-out of such automated decision-making technology.

The rest of the consumer rights are similar to those found under the CCPA but are expanded or modified.  California companies should also understand its obligations to respond and fulfill any consumer requests, whether or not they seem ridiculous.

The CPRA provides a business with exemptions that, if applicable, could exempt a business from having to fulfill a consumer request. Unlike the CCPA, which allows for its exemptions to be used only for certain consumer rights, the CPRA allows the use of the exemptions toward any of the consumer rights.

Along with understanding consumer rights, a business should also understand the new rights of its employees with respect to their personal information. So by creating or updating your business plan companies can manage the new employee rights and consumer requests obligations. A business should also incorporate and/or update its retention schedule for employment-related personal information – most are currently 7 years – and employee privacy notices to include CPRA notice requirements.

Review Vendors Agreements and Policies

California companies need to know what information vendors are collecting and processing. Each vendor agreement should include the appropriate data processing and information security terms and obligations.  However, the law remains unclear on what smaller companies and firms, like us, can do if the necessary vendor fails to comply with its requirements. It appears we may all be entering the employee leasing business model where “everyone gets sued.”  Microsoft has a data breach, so Company A (vendor) and Company B (service provider), and Company C (actual company with employees) all get sued.


We would also suggest to our California companies consider only doing business with US companies since defendants like Shopify (we are Canadian yeah? You bet ‘cha – United States District Court Judge Edward Chen stated that the US-based court does not have jurisdiction over the two entities since they are headquartered in Canada and France) they seem to avoid liability and a potential source of indemnification for your business under these scenarios.  Comment dire –  que c’est nul!

Review existing policies.

Finally, we suggest all companies review your employee handbooks, operation manuals, information technology policies and procedures, in particular those relating to the use of personal devices for work purposes, lest they be in the cross-hairs of California.

In today’s modern world, employees may conduct certain business functions on their personal devices, via certain applications like Slack, Outlook, Teams, Zoom, and even QuickBooks (Bill! Bill! Bill!). This can be considered “collecting and processing personal information” and needs to be addressed now or at the latest in 2023 when this legislation takes effect.

If you have any questions about this article, Employee handbooks (we write them too), or have issues with unpaid wages, commissions, company charges to your wages, business expenses, off-the-clock work, or any issues with your pay at your current or former employer, please feel free to contact:

Richard E. Quintilone II, Esq. Kyle Gallego Esq. or Jeffrey T. Green, Esq.

Quintilone & Associates 22974 El Toro Road, Suite 100 Lake Forest CA 92630

Phone 49.458.9675 Fax 949.458.9679 Email req@quintlaw.comkjg@quintlaw.com or jtg@quintlaw.com web www.quintlaw.com

California Supreme Court to Address Split on Alleged Paga manageability

On June 22, 2022, the California Supreme Court granted review in Estrada v. Royalty Carpet Mills, Inc. (2022) 76 Cal.App.5th 685, to resolve a split of authority in separate Court of Appeal regarding whether trial courts can strike allegedly unmanageable Private Attorneys General Act (“PAGA”) claims. The Court will hopefully hear arguments in 2023, but with new COVID, Monkeypox or other pandemic concerns – may not. As a quick note, all claims and cases are hard to try. PAGA claims involved workers, pay, and working conditions, nothing fancy other than the software used to track time and other means of proving off-the-clock work and Labor Code violations. It can and will be tried. Just imagine if the medical malpractice or construction defect industry threw up its hands and said “Judge it is just too  hard to manage this CD case [some have over 10 experts per side], so 200 homeowners can go pound sand!”  Yeah right. Nice try defense bar.

In Wesson v. Staples the Office Superstore LLC (2021) 68 Cal.App.5th 746, the 2nd District held that “courts have inherent authority to ensure that PAGA claims can be fairly and efficiently tried and, if necessary, may strike claims that cannot be rendered manageable.” Id. at 756. Drawing on principles from class actions and other representative actions, the court explained that “[i]n general . . . a need for individualized proof pertaining to a very large number of employees will raise manageability concerns.” Id. at 771. (Click here to learn about the Wesson decision.)

We believe Wesson is limited to its own unusual set of facts. In Wesson the trial court felt sorry for the poor defendant (Staples) and claimed [1] the case could not be fairly [Fair to who?] and efficiently tried and the Court had the authority to strike an unmanageable claim, because at the time case law provided for courts to consider the manageability of representative claims in other contexts and PAGA claims involved “comparable or greater” manageability concerns [read between the lines “I do not want to try this case”]; [2]-The employer was entitled to a fair opportunity to litigate available affirmative defenses [we have heard this before – which means they want to put every single class member, claimant or aggrieved employee on the stand for hours] which a manageability assessment had to take into account, because “due process” required a fair opportunity to present a defense; and [3]-[probably the most important] the employee’s lack of cooperation with the trial court’s manageability inquiry stymied efforts to proceed, striking the PAGA claim, which alleged misclassification, as unmanageable was not error.  Misclassification cases are their own “breed” and trying them is inherently difficult. Read the opinion, the plaintiffs did no favors for themselves or the employees to advance the case, and appealed a bad set of facts, which we have been taught over and over again, “Bad facts make bad law.”

Conversely, in Estrada, the 4th District [far more superior Court in intelligence, wit, and good-looking justices] held that “a court cannot strike a PAGA claim based on manageability.” Estrada, 76 Cal. App. 5th at 697. While Estrada also expressed concern about unmanageable claims, it explained that where claims involve “hundreds or thousands of alleged aggrieved employees, each with unique factual circumstances,” the court may render a trial manageable by limiting the presentation of evidence and witnesses, but not by striking or limiting the claims. Id. at 713. Richard Quintilone II Esq. already posted about Estrada here. We have had only one less experienced lawyer argue Wesson defeats manageability [and our case is not hard to manage] and no other quality defense firm has advanced such a motion on facts that diverge from misclassification.

The California Supreme Court is supposed to resolve this split, but the order granting review gives little indication of which way the Court may rule other than pro-employee since it has done so consistently in the past 3 years. While inexperienced defense-only firms and lawyers wax poetic about that the Court denied review of Wesson in December 2021, get real, the justices were simply busy with the holidays. The Court denied a request to depublish Estrada, so as the fans of Game of Thrones know it- Winter is coming.

Again, the Supreme Court will have to take up the split and until then Trial courts are free to rely upon EstradaCalifornia Rules of Court Rule 8.1115. Citation of opinions (2022)  Wesson is clearly a poorly reasoned decision and limited to its misclassification facts. Click our prior Quintilone & Associates Post to read our analysis of Estrada.

If you have any questions about this article, Employee handbooks (we write them too), or have issues with unpaid wages, commissions, company charges to your wages, business expenses, off-the-clock work, or any issues with your pay at your current or former employer, please feel free to contact:

Richard E. Quintilone II, Esq. Kyle Gallego Esq. or Jeffrey T. Green, Esq.
Quintilone & Associates
22974 El Toro Road, Suite 100
Lake Forest CA 92630
Phone 949.458.9675
Fax 949.458.9679
Email req@quintlaw.comkjg@quintlaw.com or jtg@quintlaw.com web www.quintlaw.com