California continues to be a leader in protecting its citizens’ privacy by making sure they have control over how businesses collect and share their personal data. This commitment to Californians is reflected in the California Privacy Rights Act (CPRA), which dramatically expands worker privacy rights and increases the obligations of companies with California workers.
Although proposed regulations implementing the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) are currently under development, CPRA became effective January 1, 2023 and enforcement of its provisions will begin July 1, 2023. Employers subject to the CPRA should fully leverage the delay in enforcement activity to ensure CPRA compliance readiness.
The CPRA amends and expands the California Consumer Privacy Act (CCPA) to require companies subject to the CCPA to extend personal information privacy rights to their workers (past and present), officers, directors, medical staff members, independent contractors, and job applicants. Employers need to expand privacy policies to include these workforce members and be prepared to respond to requests regarding their rights under the CPRA. The law imposes elevated protections for “sensitive personal information,” which includes social security, driver’s license, passport, and financial account numbers, and other highly private information. Consumers will have the right to limit businesses’ ability to collect, use, and share this information.
CPRA applies to for-profit companies doing business in the state and collects the personal data of Californians or has it collected and fits one or more criteria. Not-for-profit entities and federal agencies are excluded from the CPRA. Businesses will have to provide a notice and privacy policy covering the collection, use, and transfer of personal information and offer these individuals the right to request copies, correction, and deletion of their personal information, among other rights. Since the focus is on whether a business collects the personal information of California consumers, the law may apply to businesses located in a state other than California, or a country other than the United States.
For-profit businesses that meet the following criteria must comply:
California is the first state to extend consumer data privacy rights to workers, unlike data privacy laws enacted in Colorado, Connecticut, Utah, and Virginia where workers’ personal information is exempted from their requirements. As the strongest consumer privacy law ever enacted in the United States, the CPRA achieves broad general parity with the most comprehensive laws in Europe (GDPR), Japan, Israel, New Zealand, and Canada.
The consumer rights granted by both laws encompass:
And, failing to comply will be consequential as the new CPRA empowers the Attorney General, California’s 62 district attorneys, and the new California Privacy Protection Agency to enforce it, with those powers (and penalties) coming into play in July 2023.
Californians for Consumer Privacy (CCP) sponsored Proposition 24, the CPRA that passed in November 2020 with over 9 million votes. It was also the sponsor of the CCPA referendum. For additional information, please refer to its California Privacy Rights Act Resource Center for additional information https://www.caprivacy.org/cpra-resource-center/
