By: Minh Luong and Neharika Salhotra
Starting January 1, 2023, California’s companies will need to comply with the California Privacy Rights Act (CPRA), increasing obligations for companies and extending them to employees and their data.
When Does the California Privacy Act (CPRA) Apply?
A business falls within the scope of the CPRA if:
(a) Had annual gross revenue above $25 million in the previous calendar year; or
(b) Annually collects, stores, analyzes, discloses, or otherwise uses (“processes”) the personal information of 100,000 or more California residents or households; or
(c) Derives at least 50 percent of its annual revenue from selling (disclosing to a third party for monetary or other valuable consideration) or sharing (disclosing to a third party for targeted advertising) the personal information of California residents.
In order to become CPRA compliant a business should make sure they meet several provisions laid out in the law, including:
- Privacy notices need to be prepared and provided to employees and/or job applicants prior to collecting such information
- Employer’s must disclose the categories of third parties that can collect such information and requires that third parties provide notice at collection
- Retaining, using, or disclosing information outside of the contract’s outlined purposes and the direct relationship between the vendor and business is prohibited.
- Businesses must have measures in place to safeguard employee information from unauthorized disclosures and should give employees the option to opt of out its use or disclosure
- Vendors must comply with applicable obligations under CPRA and provide notice if they are unable to continue to do so
- Businesses will have the right to take appropriate action to ensure the vendor’s adherence with the CPRA and to remediate any unauthorized use of personal information
- Businesses must also include the following provisions in their contracts:
- Prohibit the sale and sharing of personal information
- Require notification of any sub-contractors that any sub-processers be bound to the same obligations.
Important Rights and Key Exceptions to Keep In Mind
- Right to Access or Right to Know: These requests allow employees to have access to and be in the know of what personal information is being used and for what purposes. Businesses must review these requests with legal team to deal with attempts at pre-litigation discovery by former employees or ascertain certain attempts at harassment.
- Right to Delete: Employees will have the right to request deletion of certain personal information they wish to omit. However, businesses must remember that not all requests need to be met, especially if the information is necessary to honor compliance with another law.
- Right to Correct: This allows employees to request corrections to inaccurate personal information. Exceptions to this depend on the type of information. Objectively false information such as address (if employee has moved) are acceptable. However, information such as employee reviews or correcting information whose accuracy cannot be verified can be subject to further questioning.
What Should Employers Do to Get Ready for the New Legislation
Recently, Attorney General of California Rob Bonta took strong action against Sephora for failing to comply with the California Consumer Privacy Act (CCPA). While this is a different bill relating to consumers, it shows that the state of California is ready and willing to boil down on businesses that fail to adhere to the latest data privacy norms. Considering this, it is best for businesses to start taking compliance measures as soon as possible and start their implementation prior to January 1, 2023, to test run new measures and make corrections before it is too late.
Some steps employers should consider getting ready for the CPRA are:
- Data Mapping: Data mapping is essential to taking inventory of all the personal information that your business stores.
- Review CPRA and This Guide: Your business should keep this guide as well as the official CPRA bill accessible and available to address queries or concerns during the implementation process.
- Have DPAs in Place: Your business should ensure that data processing agreements compliant with the CPRA are in place with all vendors and/or third parties that have access to employment-related personal information
- Develop Assessment Programs: Your business should work on developing assessment programs for new/existing employees to understand their obligations and rights under the CPRA.
This is a general guide to help you understand the process and give you a roadmap of future actions. Each of these steps requires a detailed understanding of the bill and your company’s compliance. For assistance preparing and making sure a business is CPRA compliant, please contact the experienced attorneys at Chugh, LLP.
- “California and the New Rules for Employee Privacy: What HR Professionals Need Know.” ADP, August 2022
- Harding, Elizabeth, and Christina Hernandez-Torres. “What California Business Need to Know About Employee Data.” The National Law Review, 30 August, 2022