Building windows

The California Privacy Rights Act Amends Existing Law

This article is part of our 2022 Labor & Employment New Year Roundup.

These days, most businesses collect and store consumer data, and nearly all businesses maintain employee data. If your business does either (or both), you should be aware of new obligations imposed by recent legislation.

Below is a summary of California’s recent legislation and what the legislation means for California businesses and employers.

Background

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) created numerous privacy rights for consumers, and business obligations for companies. In late 2020, California voters approved Proposition 24, known as The California Privacy Rights Act (CPRA), which amended the CCPA, expanding some of the CCPA’s consumer protections and therefore expanding business’ obligations.

The CPRA applies to:

  1. A company whose gross annual revenue exceeds $25,000,000
  2. A company that buys, sells and/or shares personal information of 100,000 or more California residents or households
  3. A company that derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information

Non-profit companies are generally not covered by the CPRA. A company that is not otherwise covered by the CPRA may become covered if it contracts with a company that is covered and it receives consumers’ personal information from the covered company.

Changes That May Impact Your Business

If the CPRA applies to your business, you must note the following changes:

  • The CCPA exempted employees, job applicants, owners, directors, officers and contractors of a company from the definition of “consumer.” The CPRA eliminates that exemption.
  • The CCPA requires that every company inform consumers of the categories of personal information the company gathers, and the purposes for which the information will be used. The CPRA adds a definition for “sensitive personal information,” and requires each company to inform consumers which sensitive personal information it gathers, as well as the purposes for which that information will be used.
  • The CPRA adds a requirement for each company to inform consumers about the length of time the company intends to retain each category of personal information, including sensitive personal information; if that is not possible, the company is required to inform consumers how the retention period for personal information is determined.
  • The CPRA adds a requirement that each company must inform consumers whether personal information, including sensitive personal information, is sold.
  • The CCPA requires that each company create a privacy policy at least once every twelve months. The policy must disclose the categories of personal information the company has collected about consumers in the preceding 12 months, a list of the of categories of personal information it has sold (or if it has not sold any categories, a statement to that effect), and a list of categories of personal information it has disclosed about consumers for a business purpose (or if it has not disclosed any categories, a statement to that effect). The CPRA adds the following disclosures that each company must make: (1) categories of sources from which personal information is collected; (2) business or commercial purposes for collecting, selling or sharing personal information; and (3) the categories of third parties to whom the company discloses personal information.
  • The CPRA adds a requirement for each company to conduct an annual cyber security audit, and must submit a risk assessment to the California Privacy Protection Agency. We anticipate that the California Privacy Protection Agency will issue guidance regarding the contours of the audit and risk assessment.
  • The CPRA permits civil lawsuits against companies that fail to take reasonable and appropriate security measures to protect personal information. Personal information includes email addresses in combination with a password or security question that would permit access to the account. The potential damages include monetary damages that are not less than $100 and not more than $750 per consumer, per incident, or actual damages, whichever is greater.

Employee Privacy Rights and Employer Compliance

Many of the CPRA’s provisions become effective on January 1, 2023, but those provisions will not be enforced until July 1, 2023. Previously employees, job applicants, owners, directors, officers and contractors were excluded from the definition of “consumer,” and they had limited rights under the CCPA. However, companies must disclose the following rights to them:

  • The right to delete personal information, subject to certain exceptions
  • The right to correct inaccurate personal information
  • The right to access personal information
  • The right to know what personal information is sold or shared, and to whom
  • The right to opt out of sale or sharing of personal information
  • The right to limit the use and disclosure of sensitive personal information
  • The right to be free of retaliation for exercising their rights under the law

Additionally, companies must take the following steps to ensure compliance with the law:

  • Companies must create processes and policies to ensure that their employees, applicants, owners, directors, officers and contractors are able to assert their rights. This will include gathering and organizing all personal information, including sensitive personal information, for those categories of persons, and training personnel to handle requests to assert CPRA rights.
  • Companies must create or revise notices and privacy policies to conform with the CPRA.
  • Companies must ensure that consumer personal information is safe and secure. As part of that process, companies must conduct an annual audit of their cyber security measures and must prepare and provide an annual risk assessment to provide the California Privacy Protection Agency. While the precise requirements for the audit and risk assessment are not currently known, it behooves companies to take these issues seriously, as the damages (both monetarily and reputational) can be severe.

What this means for employers: Companies subject to the CPRA’s requirements will face additional administrative complexities and costs even if they were already complying with the CCPA, as they must revise their policies and their privacy notices pursuant to the changes and prepare themselves to comply with new obligations.


About JMBM’s Labor & Employment Practice

JMBM’s Labor and Employment attorneys counsel businesses and management on workplace issues, helping to establish policies that address problems and reduce job-related lawsuits. We act quickly to resolve claims and aggressively defend our clients in all federal and state courts, before the Department of Labor, the NLRB, and other federal, state and local agencies, as well as in private arbitration forums. We represent employers in collective bargaining negotiations and arbitration.

This update is provided to our clients, business associates and friends for informational purposes only. Legal advice should be based on your specific situation and provided by a qualified attorney.