On January 1, 2023, California will become the only state to make blanket application of consumer data privacy laws to employment information, including human resources data. On that date, the existing exemption under the California Privacy Rights Act of 2020 (CPRA), for employee and business to business data will sunset, leaving employers, employees, and courts in the difficult position of having to apply a comprehensive statutory framework that was not created to address these relationships. By way of background, the CPRA was designed as a follow-up to legislation passed in 2018 the California Consumer Privacy Act (CCPA), that was primarily intended to address the use of consumer data for targeted advertisements by tech companies. Employee data was never really the target of the CCPA or now the CPRA.
The potential for unintended consequences here demonstrates the lack of consideration given to how the CPRA will actually apply in an employment setting. For example, the CPRA includes a right for any consumer to request a company delete any personal information about the individual. Applying the right-to-delete to the employee relationship does not make sense. The right to delete could be used by a bad actor to erase evidence of sexual harassment as long as the individual submits a deletion request. And when the individual submits a deletion request, if the company fails to remove even a handwritten post-it by the harasser from the office, the harasser could have a claim against the company for failing to delete all personal information. Meanwhile, the victim may have no recourse at all because the consumer privacy law has insulated the abusive employee and all evidence of abuse has been deleted at the harasser’s request. Under existing law this cannot happen. But if no solution is provided before the January 1, 2023 sunset, this example is just one of countless ways in which California’s consumer privacy laws are inconsistent with employee rights and data.
Applying a consumer data law like CPRA to employee information would actually put California out of step with other states. Colorado and Virginia made the calculated decision to exclude human resources information from the privacy laws entirely. States that are currently proposing privacy legislation such as New York and North Carolina are also following that logic and excluding employee data from their scope.
Blanket application of CPRA to employee and human resources data will be like trying to fit a square peg in a round hole. Failing to fix this ill-fitting law for employee data will actually create more challenges and unintended consequences as mentioned above. The Legislature has a chance in 2022 to address this issue before the sunset expires.