California Employers’ New Obligations Under the CPRA
By: Tara Mirchandani
In November 2020, California voters approved Proposition 24 – also known as the California Privacy Rights Act (CPRA) – a ballot initiative that amended the California Consumer Privacy Act (CCPA). While the CCPA explicitly granted data privacy rights to California residents in their capacity as consumers, the CPRA grants employees additional rights with respect to their data rights.
Under the CCPA, human resources (HR) data had largely been exempt. However, under the CPRA, which will take effect January 1, 2023, employers will have additional obligations to their employees, job applicants, and independent contractors with respect to the privacy of their HR data. Enforcement of the CPRA will begin July 1, 2023, after a six-month grace period for employer’s to come into compliance with the new law.
Rights and Obligations Under the CPRA
Notice Requirement: The CPRA mandates that a business that controls the collection of a consumer’s personal information must also disclose the following at or before the point of collection:
- the purpose for which categories of both sensitive personal information and personal information are collected or used;
- whether this personal information is sold or shared; and
- the employer’s retention policy.
Employee’s Rights: The CPRA provides employees, job applicants, and contractors additional rights in relation to the collection and use of their personal information, including:
- Right to Access: The CPRA allows an employee to make a request to know the specific pieces of personal information an employer holds about them that were generated on or after January 1, 2022.
- Right to Correct: Employees may request that their employer correct any inaccurate personal information that has been collected.
- Right to Delete: Employees may request that their personal information be deleted.
- Right to Restrict: Employees have the right to restrict the use of their sensitive personal information (including information as to their financial information, social security numbers, communications content, health information, etc.) to specific business purposes or limited disclosures.
- Right to Opt Out of Sale or Sharing: Employees can opt out of the sale or sharing (i.e., the transfer or making available of a consumer’s personal information) of their personal information by a business to a third party.
- Right to Know: Employees may request from their employers the personal information that has been collected about them during the preceding 12 months.
The California Privacy Protection Agency and Consequences for Noncompliance
The CPRA established a new agency, the California Privacy Protection Agency (CPPA), that will be implementing and enforcing the law. The CPPA is governed by a five-member Board and is responsible for updating existing regulations, adopting new privacy regulations, and imposing fines for privacy violations.
While enforcement of the CCPA used to include a 30-day “cure period” following a notice of noncompliance from the California Attorney General, the CPRA eliminates this 30-day window to cure violations.
The amount for potential fines is $2,500 per violation and $7,500 per intentional violations. The CPRA also permits a new penalty of up to $7,500 for violations (even if unintentional) involving the consumer privacy of minors.