New Employer Requirements under the California Privacy Rights Act (CPRA)
October 25, 2022
In 2018, in response to California voter petitions, the Legislature enacted the California Consumer Privacy Act of 2018 (“CCPA”) into law. Under the CCPA, consumers have the right to learn what information a business has collected about them, to delete their information, to stop businesses from selling their personal information, including targeted advertisement, and to hold businesses accountable if they do not take reasonable steps to safeguard their personal information. Subsequently, in 2020, Californians voted to enact the California Privacy Rights Act (“CPRA”) strengthening their privacy protections. The CPRA amends and extends Californian’s privacy rights under CCPA.
Currently, the CCPA does not extend all the consumer rights to privacy to employees with respect to employment related personal information. For example, the CCPA does not extend consumers’ rights to situations where an employee’s personal information is collected solely to be used in connection with the individual’s role as an employee or job applicant. However, under the CPRA, the employer-employee exemption to the privacy provisions under the CCPA will become inoperative as of January 1, 2023.
Which Businesses Does the CPRA Apply to?
The CPRA applies to businesses that (1) are for profit and do business in California, (2) collects consumers’ personal information (or on the behalf of which such information is collected), (3) that alone, or jointly with others, determines the purposes and means of the processing of consumers’ person information, and (4) satisfies one of the following:
- Had $25 million in gross revenues as of January 1 in the preceding fiscal year;
- Alone or in combination, annually buys, sells, or shares personal information of 100,000 California consumers or households; or
- Derives from 50% or more of its revenue from selling or sharing consumers’ personal information.
CPRA Employer Requirements
- Privacy Notice
Additionally, under the CPRA, employers will also be required to provide third-party notices at the time of collection if the employer allows a third-party to collect personal information on its behalf. The third-party notice must include: (a) the consumer’s rights, (b) information about who is collecting the data, (c) how and for what purposes is such data being collected, sold, used or shared, and (d) the categories of all third parties that the employer discloses to or allows to collect consumers’ personal information. Employers will also be required to enter into a Data Processing Agreement (DPA) with its vendors that may have access to personal information and conduct due diligence assessments on their vendors to ensure that they can process personal information in compliance with the CPRA.
- The categories of personal information collected by the employer during the preceding 12 months;
- The categories of sources from which the personal information is collected;
- The business or commercial purposes for collecting, selling, or sharing personal information;
- The categories of third parties to which personal information is disclosed;
- The categories of personal information sold or shared for the purposes of cross-context behavioral advertising in the preceding 12 months;
- The categories of personal information disclosed for a business purpose in the preceding 12 months; and
- The individual’s CPRA rights and how they can exercise those rights.
Lastly, the CPRA established a new agency called the California Privacy Protection Agency (CCPA) which will implement and enforce the law. The CPPA is a five-member board that is responsible for updating existing regulations and imposing fines for privacy violation. Failure to comply with the CPRA may result in the issuance of an injunction as well as a civil penalty of up to $2,500.00 for each violation or up to $7,500.00 for each intentional violation.
We will continue to keep you updated on new developments. If you have any questions about the California Privacy Rights Act (CPRA), contact McKague Rosasco LLP.