California: CPRA Enforcement is Expected to Come as Early as April 2023

APPLIES TO

All Employers Subject to the CPRA with CA Employees

EFFECTIVE

January 1, 2023

  

QUESTIONS?

Contact HR On-Call

(888) 378-2456

Quick Look

  • Provisions of CPRA require a business’ workforce personal information to fall under the same protections and consumer rights requirements as those of the business’ consumers.
  • The final regulations implementing the CPRA are now before the Office of Administrative Law for final approval and should go into effect as early as April.

Discussion

The long-awaited regulations for the California Privacy Rights Act (CPRA) have been sent to the Office of Administrative Law and appear to be ready to go into effect this spring. Despite the lack of final regulations, the CPRA’s amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023. These amendments removed the exemption for workforce personal information to be exempt from the CCPA consumer data privacy amendments. Workforce members include California applicants, employees, and independent contractors. The CPRA applies to all businesses (regardless of location) with annual gross revenues exceeding $25 million or who buy, sell, or share consumers’ personal information at certain thresholds.

Workforce members are entitled to certain consumer rights regarding their personal information: 1) the right to know what personal information is collected and how it is used; 2) the right to correct incorrect personal information; 3) the right to delete personal information; 4) the right to opt-out of the sale or sharing of sensitive personal information; 5) the right to limit the use of sensitive personal information; and 6) the right to be free from retaliation or discrimination for the exercise of these rights. These rights have certain limitations, especially in an employment setting. Employers, for example, do not have to comply with a rights request if the information needs to be retained to comply with other applicable laws. Employers should not wait for the final regulations to be approved to move ahead with compliance since there are a number of complicated requirements.

Employers will need to complete a data inventory of all of their workforce personal information. This includes locating the data, and identifying the storage format, storage method, and storage location as well as the physical location. This process must also be repeated amongst any vendors or third parties with whom employers share or sell any workforce personal information. Once personal information is identified, it must be categorized based on its type and business purpose or use as stated in the CPRA. Employers also need to create and update privacy policies as well as notices to provide to workforce members at the point personal information is collected. Contracts with third parties must also include language referencing the third parties’ obligations under the CPRA.

Employers must create an internal process for directing workforce members who want to exercise their consumer rights to the submission methods for such requests and responding to a rights request. In addition, employers must train the employees responsible for managing workforce personal information and responding to rights requests on the basic requirements of the CPRA as well as its specific privacy policy, notice requirements, and rights request submission and response methods. Employers must retain records relating to any rights request submissions and responses for 24 months or as required under other applicable law.

Although the final regulations have yet to go into effect, employers should work with their legal counsel now to implement the requirements. Many of the obligations under the CPRA require specific knowledge about each individual business’ personal information collection, use, and storage practices.

 

Action Items

  1. Locate and map all workforce personal information.
  2. Draft notices of collection and privacy and retention policies for workforce personal information.
  3. Train appropriate personnel on directing workforce members on how to exercise their consumer rights and responding to rights requests.
  4. Review notices, policies, procedures, and third-party contracts with legal counsel.
  5. Review the CPPA’s website for more information.
  6. Subscribers can call our HR On-Call Hotline at (888) 378-2456 for further assistance.

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2023 ManagEase