California: CPRA is Now Enforceable!

/in /by

APPLIES TO

All Employers subject to the CCPA/CPRA

EFFECTIVE

February 9, 2024

QUESTIONS?

Contact HR On-Call

(888) 378-2456
Quick Look

  • The CPRA is enforceable as of February 9, 2024 by the CPPA.
  • Employers must act now to ensure compliance.

Discussion

 

Although the law has been in effect, enforcement of the California Privacy Rights Act (CPRA) was stayed on June 30, 2023 until March 29, 2024 to allow for a 12-month implementation period of released regulations. However, on February 9, 2024, a California Court of Appeal in California Priv. Prot. Agency v. Superior Ct. of Sacramento Cnty. reversed the stay of enforcement of the March 29, 2023 regulations. Even though the California Privacy Protection Agency (CPPA) failed to adopt final regulations by July 1, 2022 as directed by the CPRA, the court said there was no clear requirement in the CPRA mandating a one-year delay between regulation finalization and enforcement. This means that the CPRA is currently enforceable by the CPPA.

 

The CPRA applies to all private businesses (regardless of location) with annual gross revenues exceeding $25 million or who buy, sell, or share consumers’ personal information at certain thresholds. Importantly, workforce personal information is not exempt from the consumer data privacy amendments. If covered businesses have job applicants or workers located in California, they must comply with the privacy rules for those individuals.

 

Employers must complete a data inventory of all their workforce personal information and categorize it based on the information type and business purpose or use. Employers also need to implement privacy policies as well as notices to provide to workforce members at the point personal information is collected. Contracts with third parties must also include language referencing the third parties’ obligations under the CPRA. Employers must have an internal process for directing workforce members who want to exercise their consumer rights and train the employees responsible for managing workforce personal information and responding to rights requests.

 

Employers should note that the CPPA has been enforcing violations of the California Consumer Privacy Act (CCPA) and will continue to “vigorously” enforce the CPRA, barring any further legal developments. Employers should act now to ensure compliance!

 

Action Items

  1. Review the CPPA website for guidance.
  2. Implement and update privacy notices and policies for compliance.
  3. Review vendor agreements and security of consumer personal information.
  4. Review procedures for handling privacy requests.

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2024 ManagEase