Starting January 1, 2023, certain employers that do business in California will have new obligations under the California Privacy Rights Act (CPRA). As enacted, the CPRA amends the California Consumer Privacy Act (CCPA) to expand multiple privacy obligations, by providing certain rights to employees, independent contractors, and others.
Companies that do business for-profit in California must follow the CCPA, regardless of whether the business is incorporated or has a store in the state. Such businesses will be subject to the CCPA if they meet one or more of the following threshold requirements:
- Annual gross revenue is in excess of $25 million.
- Annually buys, sells, or shares the personal information of 100,000 or more consumers.
- Derives 50% or more of annual revenue from selling the personal information of consumers.
The CPRA may also apply to a business if that business is owned or controlled by a business defined by the CPRA, or if the business shares common branding with a business that buys or shares personal information of consumers.
The CPRA amends existing rights under the CCPA, as well as creates two new data rights. These rights, as they will apply to consumers and employees are:
- The Right to Know: Requires employers to provide certain notices and to disclose collected information upon request.
- The Right to Delete: Requires that employers comply with employee requests to delete information, unless such a request falls within an exception.
- The Right to Opt-Out: Requires employers to provide employees with the opportunity to opt-out of the sale or sharing of the employee’s personal information with third parties.
- The Right to Opt-In: Establishes expanded rules for the use of minors’ data, and requires employers to obtain consent to sell the personal information of minor employees.
- The Right to Sue: Provides a private right of action for certain violations of the CPRA.
- The Right to Non-Discrimination: Prohibits discrimination or retaliation against employees who exercise CPRA data rights.
- The Right to Correct: Allows employees to request that their employer request that certain personal information be corrected.
- The Right to Limit Use: Defines “sensitive personal information” and requires that employers limit the use and disclosure of such information.
Also beginning January 1, 2023, businesses that utilize contractors that will receive personal information will be subject to two additional contracting requirements. Such businesses must include in their contracts or service provisions that imposes a restriction on the contractor’s ability to sell personal information that it received from the contracting business. Along with this and several other contracting requirements that will be required by the CPRA, contractors will be required to permit employers to monitor their handling of human resources data.
In order to avoid potential liability, employers should put in place reasonable security practices and procedures to protect the personal information of employees. Though CPRA enforcement will not begin until July 1, 2023, employers should not delay their compliance efforts.