California: CPRA Enforcement is Expected to Come as Early as April 2023
All Employers Subject to the CPRA with CA Employees
January 1, 2023
Contact HR On-Call
The long-awaited regulations for the California Privacy Rights Act (CPRA) have been sent to the Office of Administrative Law and appear to be ready to go into effect this spring. Despite the lack of final regulations, the CPRA’s amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023. These amendments removed the exemption for workforce personal information to be exempt from the CCPA consumer data privacy amendments. Workforce members include California applicants, employees, and independent contractors. The CPRA applies to all businesses (regardless of location) with annual gross revenues exceeding $25 million or who buy, sell, or share consumers’ personal information at certain thresholds.
Workforce members are entitled to certain consumer rights regarding their personal information: 1) the right to know what personal information is collected and how it is used; 2) the right to correct incorrect personal information; 3) the right to delete personal information; 4) the right to opt-out of the sale or sharing of sensitive personal information; 5) the right to limit the use of sensitive personal information; and 6) the right to be free from retaliation or discrimination for the exercise of these rights. These rights have certain limitations, especially in an employment setting. Employers, for example, do not have to comply with a rights request if the information needs to be retained to comply with other applicable laws. Employers should not wait for the final regulations to be approved to move ahead with compliance since there are a number of complicated requirements.
Employers will need to complete a data inventory of all of their workforce personal information. This includes locating the data, and identifying the storage format, storage method, and storage location as well as the physical location. This process must also be repeated amongst any vendors or third parties with whom employers share or sell any workforce personal information. Once personal information is identified, it must be categorized based on its type and business purpose or use as stated in the CPRA. Employers also need to create and update privacy policies as well as notices to provide to workforce members at the point personal information is collected. Contracts with third parties must also include language referencing the third parties’ obligations under the CPRA.
Although the final regulations have yet to go into effect, employers should work with their legal counsel now to implement the requirements. Many of the obligations under the CPRA require specific knowledge about each individual business’ personal information collection, use, and storage practices.
- Locate and map all workforce personal information.
- Draft notices of collection and privacy and retention policies for workforce personal information.
- Train appropriate personnel on directing workforce members on how to exercise their consumer rights and responding to rights requests.
- Review notices, policies, procedures, and third-party contracts with legal counsel.
- Review the CPPA’s website for more information.
- Subscribers can call our HR On-Call Hotline at (888) 378-2456 for further assistance.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2023 ManagEase