The compliance date for the California Privacy Rights Act (CPRA) is January 1, 2023. There are significant changes from the current law, the California Consumer Privacy Act (CCPA), including the following:
- The CPRA eliminates the employee exception, which means that California-resident employees, applicants, emergency contacts, beneficiaries, independent contractors, and members of boards of directors (collectively, “employees”) have the same rights as any other consumers.
- Generally speaking, employees may make a “verifiable consumer request” that the company disclose to them the personal information or sensitive personal information collected on them and or request that this information be deleted or corrected. Employees may direct the company not to sell or share their personal information, and each employee has the right to limit the use of sensitive personal information. Employees have the right to access personal information and to know what personal information is sold or shared and to whom.
- Employees must be provided notice of their rights under the CPRA and be able to advise the employer of their exercise of these rights. The employer has limited time to respond to a request and must properly document all responses.
- The CPRA makes a distinction between “personal information” and “sensitive personal information.” “Personal information” is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” “Sensitive personal information” includes anything that reveals an individual’s personal information, such as Social Security number, driver’s license number, state identification card, or passport number; “a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account”; “[a] consumer’s precise geolocation”; and “a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.” The data privacy protections for sensitive personal information are required to be more robust than those used to protect personal information.
- Finally, business-to-business transactions are now subject to the CPRA.
Employers may want to confirm that they have procedures in place to meet the January 1, 2023, compliance date under the CPRA.
Ogletree Deakins will continue to monitor developments with respect to the CPRA and will post updates on the California and Cybersecurity and Privacy blogs as information becomes available. Important information for employers is also available via the firm’s webinar and podcast programs.