A MoFo Privacy Minute Q&A: What PI Access Rights Will California Employees Have Under CPRA Starting January 1, 2023?

Question: My company is preparing to respond to employee rights requests under the California Privacy Rights Act (CPRA) when the law’s employee exemption expires in January 2023. What is the scope of an employee’s right to receive the personal information that their employer has about them?

Answer: As of January 1, 2023, employees (including former employees, job applicants, independent contractors, business owners, directors, and officers, and any of their emergency contacts and beneficiaries) who are California residents will have the right to know about, and access, the personal information that their employer has about them.

Under these rights, an employee may request that their employer share with them (1) the categories of personal information (PI) the employer has collected about the employee, (2) the categories of sources from which the employer collected the PI, (3) the employer’s business or commercial purpose for collecting or selling the PI, (4) the categories of third parties to whom the employer has disclosed the PI, and (5) copies of the actual PI itself that the employer has collected about that employee. This includes PI that the employer has collected about the employee and not only PI it has collected from the employee. The CPRA’s requirements apply to PI collected on or after January 1, 2022, which limits the PI that is subject to an employee’s rights. 

An employee’s personnel file likely contains a lot of PI about the employee that would be subject to the employee’s access right. Employee PI is also likely to be stored in several other repositories that an employer maintains. Yet, these records may also contain information that is not PI about the employee or that falls within an exception to the employer’s CPRA obligations. The CPRA gives employees a right to receive “specific pieces” of PI, not necessarily copies of whole documents that also contain other information about the company or about other people.

While personal information is broadly defined as information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly,” with the employee, it does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. This might exempt information about the employee that is publicly available on the Internet. The CPRA also does not apply to consumer reports under the Fair Credit Reporting Act or medical information covered by certain other federal and state privacy laws. Also, the PI that must be provided to the employee does not include data generated to help ensure security and integrity, so an employer may not have to provide information about an employee related to certain kinds of internal investigations.

Likewise, the CPRA does not require disclosure of PI that falls within an exception, such as if the disclosure would hinder the company’s ability to comply with a federal, state, or local law, or to exercise or defend a legal claim, or if the disclosure would waive a privilege or adversely affect the rights and freedoms of other individuals. The CPRA also does not apply to PI that is adequately de-identified or aggregated, and it provides an exception for unduly burdensome requests. However, the employer should also be mindful that the California Labor Code provides employees with the right to “inspect and receive a copy of the personnel records that the employer maintains relating to the employee’s performance or to any grievance concerning the employee.” An employer that receives an access request from an employee who is a California resident should identify whether the employee is making the request under the CPRA, or a request to inspect and receive personnel records under the Labor Code, or both, because this will determine what information must be provided, and the timeline for providing it.

In most cases, employers will need to look beyond the personnel file to respond to an employee’s CPRA request because companies generally collect PI about employees in additional repositories. This does not mean that an employer must search for and provide every email, message, or document that mentions the employee or on which the employee was a sender or recipient. Important questions that the company should consider include:

• What are data sources in which the company has collected PI about the employee (e.g., payroll records), as opposed to repositories containing PI that the company has not collected (e.g., an extracurricular bowling team that is not sponsored by the company that co-workers coordinate using the company’s email and shared drives). This may include email servers or messaging channels that are used by the employee who made the request.
• Does the data at issue constitute PI about the employee? For example, in a list of expense reimbursements paid to multiple employees, only the information related to the requestor is PI about that employee, and any other information should be withheld. Similarly, an email that the employee sent or received that includes content that is not about the employee, might be redacted down to only the employee’s name and email address.
• Do any exceptions apply? For example, disclosing a record containing another employee’s opinions about the requestor could adversely affect the privacy interests of the other employee. This may trigger the CPRA’s exception for disclosures that adversely affect the rights and freedoms of other individuals.

It is important to note that many CPRA access requests received from employees, former employees, and employee candidates may in fact be veiled pre-litigation discovery attempts. That said, employers may not retaliate against employees for making a CPRA request. So, these requests should be handled with great care, with the involvement of both the HR and legal departments, taking into account how the requestor and their own legal counsel may be planning to use the information they obtain through a CPRA request.