The California Privacy Rights Act: An Overview

Quick Hits

• The California Privacy Rights Act applies to all California resident consumers, including job applicants and employees, and it also applies to business-to-business transactions.
• Employees can sue their employers for data breaches, and under certain circumstances, employees can bring a class action-type lawsuits.
• Companies that collect personal information from California resident consumers and have annual gross revenues in excess of $25 million company-wide are required to comply with the CPRA.

The CPRA applies to all California resident consumers, including job applicants and employees, and it also applies to business-to-business transactions. Like other consumers, an employee can sue an employer for a data breach, and, under certain circumstances, can bring a class action-type lawsuit. The court will consider efforts to comply with the CPRA in considering damages or other relief to award in such a lawsuit. Finally, the California attorney general is currently enforcing the CPRA and can levy administrative fines. Companies that annually buy, sell, or share the personal information of 100,000 or more California resident consumers, have more than $25 million in annual gross revenue company-wide, or derive 50 percent or more of annual revenues from selling or sharing consumers’ personal information are required to comply with the CPRA.

Generally speaking, CPRA compliance requires the following:

• Implementing reasonable security measures to protect PI from unauthorized access, exfiltration, and/or theft.
• Putting in place procedures to promptly and properly respond to data breaches.
• Preparing, posting, and distributing CPRA notices to California resident consumers. “Consumer” is defined as “a natural person” residing in California, including job applicants, employees, the beneficiaries and emergency contacts of employees, independent contractors, owners, and members of the board of directors. Businesses are required to provide a notice that includes a description of the categories of PI collected, the business purpose for collecting it, how long the PI is retained, and the categories of third parties to whom the PI is shared and or sold.
• Putting in place a Consumer Access Request procedure so that consumers, including employees, can exercise their rights under the CPRA. This involves verifying and responding to requests to disclose, delete, and correct PI, requests to limit the distribution of PI, and the right to opt out of the sale or sharing of PI.
• Making sure that vendors and service providers that receive PI from the company comply with the CPRA.
• Preparing a California-specific privacy policy.
• Providing employees who handle personal information training on the CPRA.
• Making sure that consumers, including employees, are not discriminated against for exercising their rights under the CPRA.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will publish updates on the California and Cybersecurity and Privacy blogs as additional information becomes available.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts