The California Privacy Rights Act (CPRA): Enforcement July 2023
The California Privacy Rights Act (CPRA) is a new privacy law that builds on the California Consumer Privacy Act (CCPA) and provides additional protections and rights to California consumers. The CPRA goes into effect on January 1, 2023, and will become enforceable on July 1, 2023.
So, what does this mean for employers? Well, one big change is that the CPRA will get rid of some exemptions that previously existed under the CCPA. This means that employers will have to follow new rules when collecting personal information from California employees. This includes giving employees the right to know what personal information is being collected, the right to delete or correct that information, the right to opt out of the sale of personal information, and the right to limit the use or disclosure of sensitive personal information.
And speaking of sensitive personal information, that's a new category that's been introduced by the CPRA. It includes things like an employee's racial or ethnic origin, sexual orientation, union membership status, email addresses, and account log-in information. Employers will have to be very careful when collecting and using this kind of information, and employees will have the right to request that their sensitive personal information is not shared.
Employers will also need to update their privacy notices and enter into agreements with vendors who process employment personal information. These agreements must include specific clauses about how the information will be used, treated, disclosed, and retained, to avoid any data sharing arrangement being seen as a "sale" of personal information.
Finally, the CPRA will increase an employer's exposure to private lawsuits under the CCPA. If an employee's personal information (including their email address in combination with a password or security question and answer) is subject to an unauthorized data breach, the employer could be liable for statutory damages.
So, if you're an employer with California employees, it's important to stay up to date on these changes and make sure you're complying with the new requirements. The good news is that the law won't be actively enforced until July 1, 2023.
Are you a covered entity under the California Privacy Rights Act (CPRA)?
Who exactly needs to follow this new law? For-profit employers with gross annual revenue of more than $25 million, those who buy, sell, or share personal information of over 100,000 California residents, or those who derive 50% or more of their annual revenue from selling personal information need to comply with CPRA.
Your business could be subject to the California Privacy Rights Act (CPRA) if you have employees working in — or even just one employee remotely based in—California, and your company made over $25 million globally last year (annual gross revenues).
The CPRA also applies to businesses that buy, receive, or sell personal information of 50,000 or more California consumers, households, or devices in a given year. It's important to note that the CPRA applies not only to businesses that collect personal information directly from California consumers but also to businesses that obtain personal information from other sources and then use that information in the context of their business operations in California.
So, what does this mean for employers with California employees?
The CPRA requires employers to inform individuals about what personal information (PI) related to employment is being collected and how it's being used. This includes information like an employee's name, e-mail address, photo, IP address, and audio and video recordings. Sensitive personal information, which includes things like Social Security numbers, financial account information, and biometric data, is subject to additional protections. Businesses familiar with the California Consumer Rights Act should also be aware of the new rights added by the CPRA, such as the right to correct inaccuracies in personal information, the right to opt out of sharing personal information, and the right to limit the use and disclosure of sensitive personal information.
Employers must provide a privacy notice that includes a description of the categories of sensitive personal information collected, whether the employer sells or shares the PI, the length of time the PI will be retained by the employer, and a list of any third parties the employer uses to collect or disclose PI.
Employees have several rights under CPRA, including the right to know what personal information is being collected and how it is being used, the right to delete personal information, the right to opt-out of the sale of their personal information, the right to correct inaccurate personal information, and the right to not be retaliated against for exercising any rights under CPRA.
Employers that share employment-related PI with third parties must establish data processing agreements that include specific requirements like identifying the purpose for which the information is made available and requiring the third party to comply with all applicable sections of the CCPA.
The California Privacy Protection Agency enforces CPRA. If you're an employer in California, it's essential to understand these new requirements to protect your employees' data privacy.
Employers who may be covered under this law should seek legal advice from a data privacy lawyer or experienced employment lawyer to ensure compliance with this new law.
Questions about whether your business is covered under the CPRA? Need policies drafted for compliance with the CPRA? Wagner Legal can help. Contact Wagner Legal today for a consultation about your CPRA business needs.
Don’t forget to subscribe to receive the Legal Cut, a newsletter built to keep you informed with the latest legal insights of the entertainment industry!
