Employer Obligations Under the California Privacy Rights Act
California employers are already familiar with the California Consumer Privacy Act (“CCPA”), which is a privacy law that went into effect on January 1, 2020. However, in November 2020, California voters approved Proposition 24, otherwise known as the California Privacy Rights Act (“CPRA”). As an initial matter, the CPRA does not displace the CCPA, but rather amends and expands it. Because the CPRA will go into effect on January 1, 2023, employers should familiarize themselves with it and prepare for forthcoming compliance. Let’s take a closer look at what’s new.
Does the CPRA Apply to My Business?
Since the CPRA does not apply to all businesses, let’s begin by discussing the criteria for being subject to the CPRA. The CPRA applies to for-profit businesses that either (1) have a gross annual revenue greater than $25 million, (2) buy, sell, and/or share personal information of 100,000 or more California residents or households (up from the previous 50,000 threshold), or (3) derive at least 50 percent of annual revenue from selling or sharing consumers’ personal information. Further, the law also applies to any entity (1) that controls or is controlled by a business subject to the CPRA, (2) that shares common branding with the business, and (3) with which the business shares consumers’ personal information.
What Does the CPRA Require of My Business?
Updated Notice at Collection
Beginning January 1, 2023, at or before the time of collection, employers will be required to disclose: (1) the categories of personal information to be collected about an applicant or employee; (2) the purposes for which the information will be used; (3) the categories of “sensitive personal information” (e.g., Social Security number, driver’s license number, financial account information, login credentials, health information, biometric data, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, etc.) collected and the purposes for which they are used; (4) the length of time the business intends to retain each category of the personal information, including sensitive personal information, or, if not possible, the criteria used to determine the retention period, provided that the business cannot retain the information longer than is reasonably necessary for the disclosed purpose; and (5) whether the personal information, including sensitive personal information, is sold or shared.
Administration of Employee CPRA Rights
As stated above, covered businesses will be required to establish procedures and train personnel to handle consumer CPRA requests. Because these procedures should be tailored to each employer, it is advised that covered employers seek appropriate advice from legal counsel to best navigate this. Furthermore, those who are in charge of handling CPRA requests will be legally obligated to be fully informed of all CPRA requirements and regulations. Employers should thus train such personnel on consumer rights under the CPRA, the ways in which those rights may be exercised, and the business’s responsibility in responding to consumers’ exercise of their CPRA rights.
If you have determined that the CPRA applies to you, then you ought to begin preparing for compliance today. If you are at all unclear about your obligations under the CPRA, you should obtain the advice of legal counsel as soon as possible. Fortunately, enforcement of the CPRA will not begin until July 1, 2023, so you may rest assured that any hiccups that occur in the first few months of implementation will not result in legal repercussions.