Employer Obligations Under the California Privacy Rights Act

California employers are already familiar with the California Consumer Privacy Act (“CCPA”), which is a privacy law that went into effect on January 1, 2020. However, in November 2020, California voters approved Proposition 24, otherwise known as the California Privacy Rights Act (“CPRA”). As an initial matter, the CPRA does not displace the CCPA, but rather amends and expands it. Because the CPRA will go into effect on January 1, 2023, employers should familiarize themselves with it and prepare for forthcoming compliance. Let’s take a closer look at what’s new.

Does the CPRA Apply to My Business?

Since the CPRA does not apply to all businesses, let’s begin by discussing the criteria for being subject to the CPRA. The CPRA applies to for-profit businesses that either (1) have a gross annual revenue greater than $25 million, (2) buy, sell, and/or share personal information of 100,000 or more California residents or households (up from the previous 50,000 threshold), or (3) derive at least 50 percent of annual revenue from selling or sharing consumers’ personal information. Further, the law also applies to any entity (1) that controls or is controlled by a business subject to the CPRA, (2) that shares common branding with the business, and (3) with which the business shares consumers’ personal information.

What Does the CPRA Require of My Business?

If you’ve determined that the CPRA applies to your business, then you need to know how to comply. First, the definition of “consumer” includes not only purchasers, but also California-based employees, job applicants, and independent contractors. “Personal information” refers to most of the information collected about consumers within the scope of those roles. Please note that the exemption to these expanded definitions under the CCPA will expire on December 31, 2022. This means that CPRA-covered businesses will be obligated to provide an updated notice at collection, provide new privacy policy disclosures about employees’ CPRA rights and how to exercise them, establish the procedures necessary to comply with employee CPRA requests, and train appropriate personnel to handle employee CPRA requests and responses. We’ll now discuss each of these in turn.

Updated Notice at Collection

Beginning January 1, 2023, at or before the time of collection, employers will be required to disclose: (1) the categories of personal information to be collected about an applicant or employee; (2) the purposes for which the information will be used; (3) the categories of “sensitive personal information” (e.g., Social Security number, driver’s license number, financial account information, login credentials, health information, biometric data, racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, etc.) collected and the purposes for which they are used; (4) the length of time the business intends to retain each category of the personal information, including sensitive personal information, or, if not possible, the criteria used to determine the retention period, provided that the business cannot retain the information longer than is reasonably necessary for the disclosed purpose; and (5) whether the personal information, including sensitive personal information, is sold or shared.

Privacy Policy Disclosures

Beginning January 1, 2023, employers must disclose in their privacy policy to employees, job applicants, and independent contractors, information about their rights under the CPRA. Generally, with exceptions, employers must disclose to consumers the right (1) to delete personal information, (2) to correct inaccurate personal information, (3) to access personal information, (4) to know what personal information is sold or shared and to whom, (4) to opt out of sale or sharing of personal information, (5) to limit use and disclosure of sensitive personal information, and (6) of no retaliation exercising their rights under the law.

In addition to these rights, covered businesses must also disclose in their privacy policy (1) categories of personal information collected during the preceding 12 months, (2) categories of sources from which personal information is collected, (3) business or commercial purposes for collecting personal information, (4) categories of third parties to which personal information is disclosed, (5) categories of personal information the business has sold or shared in the prior 12 months, or, if the business has not sold or shared such information, a statement to that effect, and (6) categories of personal information disclosed for business purposes in the preceding 12 months, or, if the business has not disclosed such information, a statement to that effect. Since these requirements take effect January 1, 2023, businesses must be prepared to provide information going back 12 months to January 1, 2022. Finally, covered employers must update their privacy policy at least annually.

Administration of Employee CPRA Rights

As stated above, covered businesses will be required to establish procedures and train personnel to handle consumer CPRA requests. Because these procedures should be tailored to each employer, it is advised that covered employers seek appropriate advice from legal counsel to best navigate this. Furthermore, those who are in charge of handling CPRA requests will be legally obligated to be fully informed of all CPRA requirements and regulations. Employers should thus train such personnel on consumer rights under the CPRA, the ways in which those rights may be exercised, and the business’s responsibility in responding to consumers’ exercise of their CPRA rights.

If you have determined that the CPRA applies to you, then you ought to begin preparing for compliance today. If you are at all unclear about your obligations under the CPRA, you should obtain the advice of legal counsel as soon as possible. Fortunately, enforcement of the CPRA will not begin until July 1, 2023, so you may rest assured that any hiccups that occur in the first few months of implementation will not result in legal repercussions.