California Privacy Rights Act exemption for human resource data is set to expire January 1, 2023. Procopio Senior Counsel and Privacy Officer, Elaine Harwell and Senior Associate, Olga Savage provide valuable insight into the potential impact it may have on employers.
Audio: Welcome to Procopio Perspectives, a podcast featuring award-winning corporate and litigation attorneys providing useful legal insights on the latest issues of the day. Now, here's your host.
Elaine Harwell: Hi, everyone. My name is Elaine Harwell. I'm a privacy attorney here at Procopio and we are in Procopio's privacy podcast. I am here with my colleague, Olga Savage, who is an attorney on our employment team. And we're going to talk a little bit today and just have a conversation about the upcoming California Privacy Rights Act, the CPRA, which goes into effect January 1, 2023. As some of you may know who follow privacy law here in California, you know that the CCPA, California Consumer Privacy Act, is actually, currently in effect. And HR data or, or data that's collected and personal information that's collected for human resources purposes, is currently exempted out of the CCPA right now, by a series of amendments. The CPRA, which goes into effect in 2023, also has an extension of that exemption until January 1, 2023.
So what we're here to chat about today and get a perspective, hopefully, from Olga's point of view, is what happens if that exemption, that's currently in place, does not actually get extended any further and HR data becomes part of the full consumer personal information that we've been considering and with under the CCPA for the past couple of years. So with that introduction, I just wanted to give a brief update on what's been happening recently on the legislative front. As some of you may know, there are two bills that have been proposed up in Sacramento. One is AB 2871, which would indefinitely extend the exemption for HR data, as well as B2B data, under the CPRA. And a second bill, which was introduced, AB 2891, both at the same time. That bill would extend the exemption up until January 1, 2026. So we have those currently on the plate right now. We'll have to kind of keep on those and see what happens.
Probably we will know that by October as to whether either of those proposed bills becomes law. But in the meantime, we think it's really important for companies now to consider what they're going to do if, indeed, HR data becomes available under the CPRA for the full consumer rights. And with that, I really want to just kind of give an opportunity for us to talk about what types of rights that the CPRA does provide over consumer data. And what that might mean for HR data, given the fact that there are a lot of employment laws out there already existing that might impact HR data and impact it alongside the CPRA. So with that, I want to turn over just to Olga really quickly to say hello. And to just give us any initial thoughts that you might have with respect to the CPRA and the potential for the HR exemption to go away under the CPRA.
Olga Savage: Thanks, Elaine. Good morning, or afternoon, or evening everyone, depending on when you might be listening to us today. This is really a very interesting issue, because from the perspective of an employment law attorney who focuses on employers' obligations under the various, whether it be federal or state labor code provisions, common law obligations, et cetera, it really does seem that as currently drafted, it's kind of difficult, or actually, I'm going to modify that and say, it's extremely difficult to smoothly translate some of the requirements that the CPRA has currently drafted to apply to HR data. We're talking about a very different set of data here. HR data is an extraordinary, broad category of information.
And for every piece of information out there, and we'll get to this more when we're talking, for example, about things like deletion rights, inspection rights, changing rights under the CPRA, there's a different way in which the data is maintained, the time that it has to be maintained for, the way it's stored, the way it's categorized, the way it's described. And because every employee's file is so extraordinarily unique to their particular situation and can range from the employee's position, their history of performance, anything outside of pure work considerations that has come up in the context of their employment, has this employee been ill, has this employee requested leave, has this employee had to go out on maternity/paternity leave, has this employee had significant performance or conduct issues, it really differentiates the type of data that the employee has within the employer's files.
And because of that, it's going to require a great deal of maneuvering and creativity and creative organization to fit into the various categories and classifications of what an employer may be required to do if the extension to HR data goes into effect. And I think that's a really interesting topic for discussion today, Elaine.
Elaine Harwell: Yeah. And I love that you termed it creative organization with regard to the data. Of course, initially, it was not anticipated that HR data was going to be a part of the CCPA. And at that point, the CPRA didn't exist. But this was really a consumer data log. It was drafted with that in mind, not with respect to HR data. But given how broad the definition is of personal information, it certainly has swept up that to the extent that there is no exemption. So kind of starting with what you maybe touched on a little bit with regards to the right to delete, consumers right now under the CCPA and the CPRA will have the ability to request a business delete information that they may have on them.
And again, in the context of consumer data, that may make sense in some circumstances. From the CPRA perspective, the right to delete personal information is going to be collected from the individual. So this kind of opens up some questions as to whether or not an employer would be even required to delete information that they may get from other sources or that they may generate internally. So what are your thoughts from a employment perspective, Olga, as to what that might mean in terms of collected from the individual? And just to say, we don't really have a good definition of what that might mean moving forward, but let's just talk about it anyways.
Olga Savage: Yeah. That's an excellent question. And, of course, when you say the words deletion of HR information, and you say those words to an employment lawyer, all of my red lights start going off immediately, because I spent the vast majority of my career telling employers not to delete stuff, because there's so many records retention requirements under employment law, which we can get to later. But in terms of data that's collected from an individual as an employee, as opposed to data collected from third parties, it's interesting, because it's sometimes difficult to paint a clear line between the two. Sometimes it seems fairly obvious. So if an employee provides their home address, their social security number, their emergency contact in the event that they become ill at work, okay, fair enough. That's data collected from an employee. I think that's fairly simple.
But when you've got a document in an HR file that's a combination of information that's collected from an employee and collected from third parties, it doesn't become as clear. Think, for example, of let's say, a performance counseling notice, a performance improvement plan, a disciplinary warning that includes in-depth documentation of, let's say, an event or a performance issue, there could be a great deal of amalgamation and confusion there between what an employee has indicated in the course of let's say, an employment counseling discussion and what someone else contributed to the discussion, whether it be a manager or witness, et cetera.
So that's where the line gets a little bit blurry. So again, in that case, we've got information where maybe we could paint a fairly clear picture. And we've got information where, whether it was collected from the employee or a third party isn't as obvious.
Elaine Harwell: Yeah. And I think under the CCPA, when we talk about the right to delete information that a consumer might have, there are a lot of exceptions to the requirement to delete information. One of the big one of those is if the business has a legal requirement to keep that information. So I think in the context of HR, we could probably look at it as to whether or not there is a legal obligation for the employer to keep that. And I think in a lot of senses, there probably is.
Where it starts to get muddy to me is when you have documents that perhaps are something that the employer thinks might be helpful in potential litigation down the road that maybe hasn't happened yet, or hasn't come to fruition yet. However, they think that it might, is there a legal requirement to keep that type of documentation after someone has requested a deletion request, but not indicated necessarily that they're going to sue? I don't know. I'm not quite sure of the response to that. At this point, I think it probably would depend upon a fact intensive inquiry with respect to the data that is actually collected and the data that they want to maintain. I think a pretty good argument could be made in most cases that the data would need to be maintained. But I'd be interested to kind of hear what the data retention requirements under employment laws might be with respect to that type of information that an employer might anticipate they could use in later litigation.
Olga Savage: Yeah. And that's a really excellent question, because here we get the distinction between what's legally required and what's advisable. Because, for example, if you take the pure... And there's a retention statute for pretty much every type of HR data out there. There's specific retention statutes for injury and illness prevention records, I-9 forms, position recruitment files, blah, blah, blah. But they're all for a limited period of time, or most of them are. So let's assume for the sake of argument that those periods have passed. So arguably speaking, you don't have the retention requirement anymore. You've got the overall, broad you have to maintain personnel records for up to three years. That is a legal requirement.
Although query, of course, whether an employee can absolve the employer of that legal requirement by requesting the deletion in his or her files, because the primary purpose of that three-year environment in the first place is to facilitate the employee's rights to inspection, obtain copies of their files and records. So query as to whether the employee can exercise their CPRA rights and thereby absolve the employer of that obligation. But then there's the legally required time period. But then there's also the recommended time period that employers would hear from most attorneys. And what a lot of employer attorneys will say, and it's a very sage form of counsel, is you should maintain employment records for at least as long as the employee can still make an employment claim.
Generally, under the various statute of limitations laws, an employee can bring a claim for conduct arising in the employment relationship sometimes as late as four to five years after the relationship actually terminates. And that time can be extended if there's a claim that the employee only recently discovered the unlawful conduct. There's various ways in which that period of time can get extended. So query is if it's advisable for an employee to retain all records, just in case a situation may arise, let's say, four years after the employee's termination, where those records will become useful and necessary in defending a lawsuit, is the employer then allowed to take the position that I am entitled to decline the deletion request?
Elaine Harwell: Yeah, I think that it would be a pretty good argument. So under the CCPA and the CPRA covered businesses can deny a request to delete information if it would prevent them from exercising or defending their legal claims. So I think in us talking about this earlier, what does a legal claim actually mean? And that's where I think maybe you get into some questions as to what the factual instances of that particular situation is. And maybe you can make an argument that there is a potential for a legal claim that they are already anticipating. I think one of the things that Europe saw after the GDPR was a lot of requests by former employees requesting copies of their HR files under the GDPR. And it was anticipated it was for the purpose of being able to prepare themselves ahead of any earlier opportunity to be able to do so, to prepare for their potential legal claims against their former employers.
So it's not unheard of, that type of situation. So I think that it's something that would be very, very interesting to think about. But also, to the extent that there is an opportunity to review that on a more detailed basis, I think probably worth doing so. I'll also mention, probably sounds like as well, too, a good opportunity now to start reviewing your data retention and destruction policies. Because certainly, if you have the ability to point to a data retention or destruction policy as what the requirements are for that business, at least that they've set upon themselves, to maintain that information for specific periods of time, that also, I think, strengthens the argument for being able to maintain the information longer. Yeah. Very good.
All right, we don't want to take up too much time today. We're going to try and keep this to a short little podcast. So one of the other things that I wanted to make sure that we covered today was another right that is under the CPRA, but didn't exist previously under the CCPA. So we're dealing with this kind of new under California law. And that would be the right to correct. And this allows generally a consumer, which we're talking about in this context, obviously HR data, so an employee, to be able to request of their employer to correct inaccurate personal information. At first glance, this type of right does make sense in many contexts. You want people to be able to correct the information that might otherwise be incorrect, that a business holds about them, especially where that business might be making decisions about them that impacts them.
For example, an insurance company, that's making decisions about premiums or the ability to get coverage, you want to make sure that they have actually correct information about that consumer when they're making those decisions. So I think it makes sense from a context in that sense. And again, this is where sometimes we have a contorted application to HR data where it wasn't necessarily anticipated first, because I could certainly foresee some strange situations coming about where an employee is asking for an employer to correct information that maybe they perceive to be incorrect, but that the employer may not. Is there anything akin to this in employment law now, currently? And what does that look like? And how should businesses really be thinking about this, if it does actually go into effect this way?
Olga Savage: Yeah, that's an excellent question, because generally, my initial reaction is when you have this right to correct information that is inaccurate, whatever that means, you would think that that right should be limited to information whose accuracy can be verified. So then that would make a lot of sense, because then that means, of course, an employee can correct if their personnel file contains an incorrect address or emergency contact. That's verifiably incorrect information, as opposed to subjective information, for example, a performance review the employee disagrees with, or a notation that says the employee was late to work on three separate occasions and the employee disagrees with that, do they have the right to correct that? It makes the situation significantly more difficult. But right now, employers are already effectively doing it.
If we're just limited to information whose accuracy can be verified, employers effectively already have an obligation to do that. If an employee moves and tells the employer, "I've moved. Here is my new correct address," there's not a whole lot of ground for the employer to say, "No, I don't have to make that correction." So, in fact, under certain circumstances, employers can even have an obligation to go beyond that these days. A good example of that is under various anti-discrimination and reasonable accommodation laws, when a gender nonconforming employee or an employee who's chosen to identify with a gender different than their birth gender goes to an employer and says, "I would like the first name in my personnel records to be changed. I would like the pronoun in my personnel records to be changed," except for legal documents, such as an employee's driver's license and birth certificate and I-9, the employer is required to accommodate that.
So the employers are already having to face certain obligations about making changes to personnel records. It'll be interesting to see what this particular obligation will entail.
Elaine Harwell: Yeah. And I'll note under the CPRA, the right to correct information does state that it's required of inaccurate personal information taking into account the nature of the personal information and purposes of that personal information. So from my view, it does seem to recognize that there might be some type of subjectivity to this. Whereas, like you said, employers have to correct something like an incorrect address. But maybe not necessarily have the right to demand a change of a subjective opinion that might be included in a, say for example, an evaluation of some type. So I think that ultimately, there are some interesting examples that I think we can all think of in this situation where it may or may not be subject to the right to correct that information. All right, very good. Yeah.
I think there are a couple of other rights that are given to consumers under the CPRA. There is also the right to know what information is being maintained about you, the right to disclosure of how the personal information is collected and used and the right to copies of specific pieces of information. There's two parts to the right to know that, to me, probably differs in terms of how a response is generated when an employee comes to you. For example, the right to know what information is collected and used, that's a little bit easier to provide to your employees, because generally you're likely collecting the same type of information for your employees. But maybe not always. I think, in general, I can imagine employers being able to point to their CCPA or CPRA employee notices that they're giving to their employees as the categories of the types of information.
But if a employee is asking for specific pieces of information about them, then in that instance the question comes up as to what the employee might be entitled to see about themselves that's being maintained in that context. Can you just talk, maybe very briefly, Olga, about what that looks like now for employers with respect to what obligations that they might have? And then let's talk about, just very briefly, what that looks like under CPRA.
Olga Savage: Sure. I mean, currently the employee's right to see information that their employer holds about them is fairly broad. An employee's entitled to view and receive a copy of their personnel file, their payroll records, any documents that they signed in connection with the obtaining or holding of employment. So that's a fairly broad category. But it's not all encompassing. There's certainly records that an employer maintains and information an employer maintains about employees or relating to employees that employees are not necessarily entitled to see. For example, if there's a workplace investigation and there is information data generated through that investigation, there's an investigation report. Most times the employee isn't going to get to see that report, even though that report may very well contain personal information and data about them.
Sometimes there's a privilege argument, because, for example, if the investigation is conducted by an attorney investigator, there could be an attorney-client privilege invoked over those documents. Sometimes an employee's name and personnel information ends up in the personnel file of a different employee, because let's say, there's a dispute between the two and there's a disciplinary notice. And there, the other employee's privacy rights are potentially invoked. So we're not talking about a situation where an employee has an overarching right to see every single document in the employer's files with their name on them. So there is going to be a lot of overlap, but I could see situations where there might be a conflict.
Elaine Harwell: Yeah. And I think under the CPRA, the right to know is not limited to the personal information that's collected from the individuals that we talked about under the right to delete. So I think it will be an interesting question to look at that, to see, is there some type of limitation to the right to know that might apply in that situation, like you spoke of, with respect to privileges that exist and things like that? Again, I think we're talking about looking at this in a more careful context than we might otherwise have had to look at this before. That seems to be the impact of the CPRA. To the extent that it will include HR data, to me, it seems to just add an additional layer of complexity, an additional layer on top that companies are now going to need to think about when they're responding to what is termed or identified as a CPRA request by a California employee.
So I think lots of interesting questions that maybe will start to develop and see how this comes about. Like we mentioned at the outset, it's not entirely clear whether or not one of these proposed bills, that's currently pending in Sacramento, is going to get passed or not. So to the extent that it does not, these are certainly questions, I think, companies are going to have to think about and grapple with. And the extent that you have not as a company considered doing a data map or inventory of your employee data, it's likely a good time to start thinking about that. We won't know until much closer towards the end of the year, what's going to happen with respect to HR data. And in the meantime, getting prepared and getting a handle on what type of data you have, I think, is certainly good advice moving forward. Olga, any thoughts kind of as we wrap this up today?
Olga Savage: Yes, absolutely. And I think, Elaine, you hit it right on the head. Right now, getting organized is probably the best thing that employers can do to prepare for this potential eventuality. The other thing that employers really, from my perspective, need to keep in mind and what can really put them at an advantage in getting a head start on this, is just making sure that everything in their records are correctly organized. You do see situations sometimes where certain things that are in personnel files or HR files are documents that actually shouldn't be there. They should be in separate confidential files, separate medical files. Now would be a good time to get organized and make sure everything's separated correctly.
And then there is such thing as excessive recordkeeping. I know we love records. We love documents. We lawyers love that kind of thing. But getting prepared for this potential new obligation on the part of employers also can serve as a good reminder to really get your recordkeeping practices in place so that you are not holding onto things that you really don't have a legal, and legitimate, and business, and intelligent need to do so, because I think that will also create a massive over complication, if and when this does go into effect.
Elaine Harwell: Yeah. Really, really great advice, Olga. I think probably that applies whether or not the CPRA sees an extension of HR data exemptions. So very good advice there. All right, great. Well, thanks everyone for joining us today. And thank you, Olga, for joining on this privacy podcast. Appreciate everyone's time in listening. And as always, if anyone has any questions, please feel free to reach out to your Procopio contact.
Olga Savage: Thank you so much, Elaine. And thank you everyone for joining us.
Elaine Harwell: Thank you.
Audio: We hope you enjoyed this Procopio Perspectives Podcast. Please subscribe, if you haven't already. And visit procopio.com to learn more about Procopio. Thank you for listening.