By: Sherri Bartels, Marc Dalmunder, Evelyn De Souza, Dee Haggerty
The California Privacy Rights Act (CPRA) is a new data protection law that was passed in California in November 2020. It expands upon the existing California Consumer Privacy Act (CCPA) and provides additional rights for California residents regarding their personal information. The CPRA took effect on January 1, 2023.
Some key differences between the CCPA and the CPRA include:
- The CPRA creates a new category of sensitive personal information, which includes information such as precise geolocation data, race, ethnicity, sexual orientation, and other sensitive data. Businesses will be subject to stricter rules for collecting, using, and sharing this type of information.
- The CPRA also expands the definition of personal information to include any data that can be linked or reasonably linked to an individual or household, regardless of whether it is linked to a specific device or account.
- The CPRA gives California residents the right to opt-out of the "sale" of their personal information.
- The CPRA also gives California residents the right to correct inaccurate personal information and the right to limit the use of personal information for targeted advertising.
- The CPRA also includes new provisions for data minimization, data retention, and data security.
Another significant change under the CPRA is the expansion of the definition of "business" to include any organization that collects personal information from California residents, regardless of whether it has a physical presence in the state. This means that even companies based outside of California will be subject to the CPRA if they collect personal information from California residents. It applies to organizations that made over $25 million in revenue globally in the previous calendar year and does not apply to non-profit organizations or government organizations. Non-compliance with the CPRA, could result in fines of $2,000 per violation, $2,500 for negligent violations, and $7,500 for wilful violations.
How Are Employers Impacted by the CPRA?
The CPRA has several provisions that specifically impact employers. One of the key provisions is that employers will be required to obtain explicit consent from California consumers, which include employees, applicants, and other residents of California before collecting and sharing their personal information. Employers will also be required to provide employees with detailed information about the types of personal information they collect and how it will be used. This includes information about the categories of third parties with whom the information will be shared.
Another impact is that the CPRA expands the rights of employees and job applicants to request that their personal information be deleted. Employers will be required to comply with these requests unless they are required to retain the information for legal or other specific reasons.
Additionally, the CPRA includes provisions that protect the personal information of employees and job applicants from discrimination. Employers will be prohibited from using an individual's personal information to discriminate against them in the hiring process or in terms of employment.
In summary, CPRA has several provisions that specifically impact employers, such as obtaining explicit consent before collecting and sharing personal information, expanding the rights of employees and job applicants to request deletion, protecting personal information from discrimination, and being subject to the new data protection law. Employers will need to review and update their data collection and handling practices, as well as their privacy policies, and train their staff on the new requirements.
What Steps Can Employers Take to Be Compliant With CPRA?
Here are a few examples of steps employers can take to comply with the CPRA requirements:
- Conduct a data inventory: Employers will need to identify and document all personal information they collect, use, and share about their employees. This includes information collected through various sources such as HR records and system access based on allowable IP address or geo-location, background check information, payroll and bank account data, time collection data that includes location geo-tags, and employee communications.
- Develop a data map: Employers will need to create a data map that shows how personal information flows through their organization, including where it is stored, who has access to it, and how it is shared. This will help employers identify potential risks and vulnerabilities in their data management practices.
- Implement data minimization: The CPRA requires employers to limit the collection and retention of personal information to what is necessary for a specific business purpose. Employers will need to review their data collection practices and implement measures to minimize the amount of personal information they collect and retain.
- Update privacy notices and policies: Employers will need to update their privacy notices and policies to include information about the rights of California residents under the CPRA. This includes the right to opt-out of the sale of personal information, the right to correct inaccurate personal information, and the right to limit the use of personal information for targeted advertising.
- Provide employee training: Employers will need to train their employees on the CPRA requirements and their roles and responsibilities in protecting personal information.
- Appoint a data protection officer: Employers who meet certain criteria will be required to appoint a data protection officer (DPO) to oversee compliance with the CPRA and to act as a point of contact for employees and customers on privacy matters.
- Develop incident response plan: Employers will need to develop an incident response plan that outlines procedures for responding to data breaches, including how to identify, contain and report a data breach, and how to notify affected individuals and authorities.
How Oracle Cloud HCM Can Help with Key Steps to Get Compliant with the CPRA
Privacy compliance is a process and tools are not a silver bullet. When aligned correctly to people and process, technology can automate the discovery and compliance of different aspects of privacy compliance. Oracle Cloud HCM uniquely offers integrated human capital management and governance capabilities with workflows and insights that align to the above-identified steps that employers can take:
- Data inventory: In Oracle Cloud HCM, users have roles through which they gain access to functions and data. This role-based security model enables administrators to not only create authorization policies for users as well as specific data security policies but to audit every transaction against these policies which control access to records, data elements, and type of data or application logs. This visibility helps ensure an accurate data inventory.
- Data map: Leveraging the security visualization capabilities within Advanced HCM Controls provides visibility into who has access and can act as the foundation for a data map. The visualization tool also enables organizations to proactively act on potential access anomalies to effectively mitigate risks.
- Implement data minimization: Oracle Cloud HCM offers an extended range of controls to help minimize the volume of data used, who has access, and what element they have access to. Role-based access controls in which authorization policies are tied to function and data access form the foundation. Location-based access controls add an additional layer of security by enabling user access to tasks and data based on their roles and computer IP addresses. Sensitive data like banking information for payroll can also be masked whether Oracle Cloud HCM Cloud REST APIs are also secured with function and delivered through predefined job roles to extend strong access controls to any third parties. Tailoring HCM processes for different employee populations with Journeys and Experience Design Studio helps minimize data accessed and captured in transactions. An automated process also helps to obfuscate personally-identifiable information for terminated employees. Additionally, Advanced HCM Controls enables automated enforcement and monitoring of data minimization policies.
- Update privacy notices and policies: Oracle Cloud HCM offers a highly configurable UI experience in which organizations can use tools such as Experience Design Studio, HCM Communicate, and Page Composer to easily insert and update their notices and policies and to enable consent management for the collection of recruiting data and during onboarding.
- Provide employee training: Oracle Learning makes it possible to offer privacy compliance training as a natural part of the workflow and in Journeys rather than as an afterthought and track training assignments and report for compliance purposes.
- Appoint a data protection officer: Oracle Learning, Advanced HCM Controls, and HR Help Desk provide highly configurable interfaces in which a data protection officer can easily collaborate with employees and other stakeholders on privacy matters.
- Develop incident response plan: Advanced HCM Controls can automate analysis, monitoring and control of security, configurations, and transactions, as well as continuous monitoring of targeted high-risk areas to inform a thorough incident response plan. HR Help Desk enables employees to submit potential incidents promptly via multiple channels, including digital assistant, SMS, and social platforms, for automatic routing and fast replies.
Please note that these are just examples, and employers should consult with legal counsel to ensure that they are complying with all the requirements of the CPRA. To gain a broader view of how Oracle Cloud HCM facilitates privacy compliance, existing customers can download the Oracle Cloud HCM Product Feature Service Guide.