New Employer Requirements under the California Privacy Rights Act (CPRA)



October 25, 2022
 
In 2018, in response to California voter petitions, the Legislature enacted the California Consumer Privacy Act of 2018 (“CCPA”) into law. Under the CCPA, consumers have the right to learn what information a business has collected about them, to delete their information, to stop businesses from selling their personal information, including targeted advertisement, and to hold businesses accountable if they do not take reasonable steps to safeguard their personal information. Subsequently, in 2020, Californians voted to enact the California Privacy Rights Act (“CPRA”) strengthening their privacy protections. The CPRA amends and extends Californian’s privacy rights under CCPA.

Currently, the CCPA does not extend all the consumer rights to privacy to employees with respect to employment related personal information. For example, the CCPA does not extend consumers’ rights to situations where an employee’s personal information is collected solely to be used in connection with the individual’s role as an employee or job applicant. However, under the CPRA, the employer-employee exemption to the privacy provisions under the CCPA will become inoperative as of January 1, 2023.

Which Businesses Does the CPRA Apply to?
The CPRA applies to businesses that (1) are for profit and do business in California, (2) collects consumers’ personal information (or on the behalf of which such information is collected), (3) that alone, or jointly with others, determines the purposes and means of the processing of consumers’ person information, and (4) satisfies one of the following:

  1. Had $25 million in gross revenues as of January 1 in the preceding fiscal year;
  2. Alone or in combination, annually buys, sells, or shares personal information of 100,000 California consumers or households; or
  3. Derives from 50% or more of its revenue from selling or sharing consumers’ personal information.
The CPRA also applies to any entity that controls a business or shares in common branding with a business as defined above; a joint venture or partnership composed of businesses which has at least 40% interest in a business as defined above; and a person that does business in California and voluntarily certifies to the California Privacy Protection Agency that it is in compliance with and agrees to be by bound by the CPRA.

CPRA Employer Requirements
Under the CPRA, employers will be required to (1) provide a privacy notice to employees and applicants and (2) post their privacy policy on their company’s external and internal websites.

  1. Privacy Notice
The CPRA requires employers to prepare and provide a privacy notice to an employee and/or job applicants at or before the time personal information is collected. The privacy notice provided must include, without limitation: (a) the categories of sensitive personal information (as defined by the statute); (b) whether that sensitive personal information is sold or shared; and (c) the length of time the employer intends to retain each category of sensitive personal information. Employers will be required to honor requests to delete, know, correct, access, limit the use and disclosure of sensitive personal information. Employees must also have the right to opt-out of both the sale and sharing of personal information without retaliation. Employers will be required to implement policies and procedures to safeguard personal information against unauthorized disclosure and provide employees with the right to limit the use and disclosure of sensitive information.

Additionally, under the CPRA, employers will also be required to provide third-party notices at the time of collection if the employer allows a third-party to collect personal information on its behalf. The third-party notice must include: (a) the consumer’s rights, (b) information about who is collecting the data, (c) how and for what purposes is such data being collected, sold, used or shared, and (d) the categories of all third parties that the employer discloses to or allows to collect consumers’ personal information. Employers will also be required to enter into a Data Processing Agreement (DPA) with its vendors that may have access to personal information and conduct due diligence assessments on their vendors to ensure that they can process personal information in compliance with the CPRA.

  1. Privacy Policy
Going forward, employers will be required to have their privacy policy posted online for consumers and applicants to view when they visit the employer’s website and on the employer’s intranet website for their internal staff members to review.

Under the CPRA, an employer’s online privacy policy must disclose:

  1. The categories of personal information collected by the employer during the preceding 12 months;
  2. The categories of sources from which the personal information is collected;
  3. The business or commercial purposes for collecting, selling, or sharing personal information;
  4. The categories of third parties to which personal information is disclosed;
  5. The categories of personal information sold or shared for the purposes of cross-context behavioral advertising in the preceding 12 months;
  6. The categories of personal information disclosed for a business purpose in the preceding 12 months; and
  7. The individual’s CPRA rights and how they can exercise those rights.
The California Privacy Protection Agency (CPPA)
Lastly, the CPRA established a new agency called the California Privacy Protection Agency (CCPA) which will implement and enforce the law. The CPPA is a five-member board that is responsible for updating existing regulations and imposing fines for privacy violation. Failure to comply with the CPRA may result in the issuance of an injunction as well as a civil penalty of up to $2,500.00 for each violation or up to $7,500.00 for each intentional violation.

We will continue to keep you updated on new developments. If you have any questions about the California Privacy Rights Act (CPRA), contact McKague Rosasco LLP.
 
Exciting News!! We have moved! The new address is: McKague Rosasco, LLP6540 Lonetree Blvd., Suite 100...
California Employers May No Longer Be Permitted to Utili... November 4, 2022Recently, in Camp v. Home Depot U.S.A., Inc., 2022 Cal. App. LEXIS 882...
California Allows Employees Take Leave to Care for a “De... November 1, 2022 On September 29, 2022, Governor Gavin Newsom signed AB 1041 expanding...
Employers Must Post New EEOC Poster ImmediatelyOctober 31, 2022 On October 19, 2022, the U.S. Equal Employment Opportunity Commission...