Privacy Notice at Collection (CCPA/CPRA) for California Employees

Summary

This template is for use by covered employers to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), in providing employees with notice describing the personal information collected by the employer and how it is used. This template includes practical guidance and drafting notes. Although Notice at Collection and Privacy Policy are sometimes used interchangeably, they have different requirements. The Notice at Collection lets the person know what personal information is being collected from them. The privacy policy is retrospective, disclosing the information collected by the company in the 12 months prior to the effective date of the policy. CCPA/CPRA regulations provide further clarification on the notice requirements of each. See 11 CCR 7011 and 7012. First, the CCPA/CPRA is applicable to consumers, but not in the commonly used sense of the term. A "consumer" is a "a natural person who is a California resident as defined in 18 CCR 17014 . . ., however identified, including by any unique identifier." Cal. Civ. Code § 1798.140(i). A California resident is an individual who is: • In California for other than a temporary or transitory purpose –or– • Domiciled in California and outside the state for a temporary or transitory purpose 18 CCR 17014. Notably, the CCPA/CPRA does not define consumer in terms of an individual's relationship with a business. The law applies to every California resident, whether or not they are a customer of the covered business, notwithstanding exemptions. See Cal. Civ. Code § 1798.140(i). California used to have an exemption for personal information collected in the employment context, but the exemption expired on January 1, 2023. This means that businesses must comply with the CCPA/CPRA's requirements for any personal information collected from employees, job applicants, owners, directors, officers, and contractors, even if the information is only used in the context of their employment. The Notice at Collection must include: • The categories of personal information (including sensitive personal information) to be collected • The purpose(s) for collecting such information • Whether the personal information is sold to or shared with third parties • If the information is sold or shared, the link to the Notice of Right to Opt-out of Sale/Sharing • How long the data is retained, or the criteria used to determine that period –and– • A link to the business's privacy policy, or in the case of offline notices, where the privacy policy can be found online 11 CCR 7012(e). A new notice must be issued before the employer uses the information for a new purpose not previously disclosed. A Notice at Collection must be designed and presented in a way that is easy to read and understandable. It must be: • In plain, straightforward language avoiding technical or legal jargon • In a format that draws the consumer's attention to the notice and makes the notice readable, including on smaller screens, if applicable • In languages that the business uses in the ordinary course -–and– • Reasonably accessible to those with disabilities 11 CCR 7003(a) and (b) and 7012(b). A link to this notice must be conspicuously placed on the web page or web form where employee personal information is collected. If the personal information is collected offline, the notice should be placed on the printed forms that collect personal information, or there should be prominent signage directing employees to where the notice can be found online. See 11 CCR 7012(c). For additional content related to the CCPA/CPRA, see California Consumer Privacy Resource Kit (CCPA and CPRA). For more guidance on employer compliance obligations under the CCPA/CPRA, see California Privacy Rights Act (CPRA): Employer Obligations and Privacy Notice at Collection (CCPA/CPRA) for California Employees. For general guidance on complying with the CCPA/CPRA, see California Consumer Privacy Compliance (CCPA and CPRA) and Consumer Data Privacy (CA). For a full listing of related California privacy content, see Data Privacy and Cybersecurity State Law Compliance Resource Kit (CA). For a full listing of data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For a full listing of data security content that applies to federal government agencies, see Data Security & Privacy for Government Agencies Resource Kit.