California Privacy Rights Act (CPRA)

02.01.23Baylee Davies

California Privacy Rights Act (CPRA)

In 2020, the California Consumer Privacy Act (CCPA) took effect and required companies that are subject to CCPA to follow strict requirements for the privacy of consumer information. Employment related information was mostly exempt from CCPA. However, that exemption expired on December 31, 2022. 

CCPA was amended by the California Privacy Rights Act (CPRA) in 2021 to require companies subject to the law to provide privacy rights to their employees, job applicants and independent contractors beginning January 1, 2023. The state has said they will begin enforcing the new law on July 1, 2023, to give companies time to comply. 

Note: You will see the law referred to as CPRA or CCPA or both so the names have sometimes become interchangeable. 

The California Privacy Protection Agency (CPPA) is responsible for enforcing CCPA/CPRA and has indicated they will be releasing the final rules in the next coming weeks. Meanwhile, we are providing answers to the most frequently asked questions we have received about this new requirement. While the information already available is pretty clear on what you need to know about the law so you can start to prepare, we will keep you updated if anything changes when the new rules are released.

How do I know if my business is covered by CPRA/CCPA?

If you are a for-profit company that does business in California and meets any one of the following criteria, your company is required to comply with the law.

  • Annual nationwide gross revenue of over $25 million; OR
  • Buy, sell or share the personal information of at least 100,000 residents or households; OR
  • Derives at least 50% of annual revenue from selling or sharing California residents’ personal information.

Darn…looks like my business is covered, what do I need to do?

  • Understand what employee, job applicant and independent contractor personal information you collect on California residents, how long you keep it, where you keep it stored and how they use it.
  • Update or create a Notice of Collection and an Employee Privacy Notice
  • Prepare to respond to a data request from employees, job applicants or independent contractors
  • Identify any third parties who receive your employee, job applicant or independent contractor data. This would include, for example, service providers who provide benefits or payroll services to your company.
  • Provide a Data Processing Agreement to these third parties. The agreement should contain restrictions on the third parties’ use of the personal information. 

What does the law mean by employee, job applicant and independent contractor personal information?

‘Personal information’ is described in the law as any information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked directly or indirectly to a particular person or household.

Huh?  What are some examples of personal information?

Some examples of personal information are name, address, online identifiers such as an IP address or email address, emergency contact, and past employment-related information such as prior job history or education.

The law also includes a category of sensitive personal information such as a social security number, driver’s license number, work authorization numbers such as a Passport or Employment Authorization Document, bank account, direct deposit information or credit/debit card information, precise geolocation data, biometric data, union membership, and membership in a protected class under California or federal law.

There is some information not covered under CCPA/CPRA such as information that is already covered by the Health Insurance Portability Act (HIPAA), Fair Credit Reporting Act (FCRA) and information that has been de-identified or is in aggregate form.

What is a Notice of Collection?

Covered employers must provide their employees, job applicants and independent contractors a notice that includes the categories of personal information they collect or use and the purposes for which that information is collected. They must also include information on whether the information is sold or shared and the length of time the business intends to retain each category of personal information, or if that is not possible, the criteria used to determine that length of time.

How is that different from the Employee Privacy Notice?

An Employee Privacy Notice informs employees of the company’s privacy practices in regard to their personal information. It should include at a minimum the following:

  • A list of the categories of personal information the company collects and has collected in the past 12 months about employees.
  • The sources from which employment-related personal information is collected.
  • The business purpose is for collecting, selling or sharing the employees’ personal information.
  • Categories of personal information the company has sold, disclosed or shared in the prior 12 months.
  • The categories of third parties to whom the business discloses employee personal information to.
  • An explanation of how an employee, job applicant or independent contractor can submit a CPRA request or exercise their right under CPRA. The company must provide two or more methods for these requests to be submitted.
  • Employee’s rights under CPRA which include:
    • Right to delete some personal information
    • Right to correct inaccurate information
    • Right to know and access personal information
    • Right to know what personal information is sold, shared or disclosed and to whom
    • Right to opt out of sale or sharing of personal information
    • Right of no retaliation for exercising their CPRA rights
  • The date the privacy policy was updated. It must be updated at least once every 12 months.

How do I distribute these notices?

CPRA requires the notices to be posted online which is currently understood to mean on the company’s internet website, internal intranet/network or career websites. It would be a good practice to ensure employees are aware of where these policies are posted should they want to review them.

What happens when an employee requests to know what personal information my company has on them?

Once an employee makes a request, the company has 45 days in which to provide the information to the employee. 

If an employee requests information be deleted or not shared, the company may be able to deny or limit its response to this request in some situations. For example, if the company has a legal obligation to keep or share the information, they are defending a legal claim, or are cooperating with law enforcement, they can deny the employee’s request. It is important to understand the federal, state and local legal record retention requirements when responding to a deletion request.

What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is an agreement between a business and a third party, such as vendors that handle employee and job applicant personal information. It should include the following:

  • The personal information is sold or disclosed to the third party only for limited and specified purposes
  • Requires the third party to comply with the law and provide the same level of privacy protection as the company is required to provide to its employees and job applicants.
  • Allows the company to take reasonable steps to ensure the third party uses the personal information they receive in a manner consistent with the companies obligations under the law
  • Allows the company the right to take reasonable steps to stop and correct unauthorized use of the personal information it has shared with the third party
  • Requires the third party to notify the company if it can no longer meet the requirements under the law

This is so confusing! What happens if I don’t comply with it?

The CA Attorney General or the California Privacy Protection Agency has said they intend to aggressively enforce CCPA/CPRA and are empowered to bring civil actions to enforce the privacy mandate. They may impose a fine of $2,500 per violation and $7,500 for each intentional violation. In addition, employees and job applicants have the right to bring action against the employer if their personal information is subject to a security breach.

This blog has been prepared for general information purposes only and is not intended to be legal advice. We recommend you contact your legal counsel for further details and documentation creation should you be a covered employer.