Beginning January 1, 2020, certain California employers were required to comply with portions of the California Consumer Privacy Act of 2018 (CCPA) regarding the collection of consumers’ personal information. On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act of 2020 (CPRA), which dramatically strengthened and expanded the CCPA. Employers subject to the CPRA must be in compliance by January 1, 2023. The urgency for employers to start those efforts now to meet this compliance deadline is caused by, among other things, the fact that employees have disclosure rights under the CPRA.
Specifically, the CPRA makes job applicants, employees, independent contractors, owners, emergency contacts, and beneficiaries “consumers” under the CCPA, meaning that an employer must comply with the CPRA with regard to each of these individuals.
Under the CPRA, consumers must be informed of who is collecting their personal information and their children’s personal information, how that information is being used, and to whom it is being disclosed. The CPRA requires that consumers be able to control the use of their personal information, including sensitive personal information, and have meaningful options with respect to how it is collected, used, and disclosed. Under the CPRA, consumers must be given notice of their rights and be able to exercise their options through easily accessible self-service tools.
In addition, the CPRA requires that businesses provide easily accessible means to allow consumers to obtain their personal information, delete or correct it, opt out of its sale, and opt out of its showing across business platforms, services, businesses, and devices.
In this framework, the CPRA provides that by January 1, 2023, employers must have implemented procedures that allow applicants, employees, owners, directors, independent contractors, and beneficiaries control over their personal information. Pursuant to the CPRA, an employer must implement procedures that provide notice to a consumer of the consumer’s rights, procedures through which the consumer may exercise the rights, procedures through which the employer complies with a request, and procedures that notify the consumer of the employer’s response to the request for each right described below:
- The right to request that a business delete any personal information about the consumer that the business has collected from the consumer
- The right to request that an employer that maintains inaccurate personal information about the consumer correct the inaccurate personal information (in other words, an employer that receives a verifiable consumer request to correct inaccurate personal information is required to use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer)
- The right to know what personal information is being collected and the right to have access to that information
- The right to know what personal information is sold or shared, and to/with whom it is sold or shared
- The right to opt out of the sale or sharing of personal information
- The right to limit the use of sensitive personal information to the use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services
- The right not to be retaliated or discriminated against following an opt-out or for exercising rights under the CPRA
Finally, the California Privacy Protection Agency will develop regulations regarding the CPRA, which are due on July 1, 2022, that may provide further guidance regarding an employer’s obligations.
Employers may want to begin creating and putting in place procedures to meet the January 1, 2023, compliance date under the CPRA.