This is a primer on the recently established California Privacy Rights Act, and what employers must do to remain compliant with this new legislation. As a business, you are not only required to comply with data privacy law in your interactions with consumers, but also when managing California-based job candidates as well as California-based current and former employees of your company.
When reviewing this tutorial, remember that the ‘consumer’ and the ‘employee’ can be interchangeable terms. For example, where it says ‘its purpose is to protect the personal information of California residents (“consumers”)’, it is equally applicable to read this as ‘its purpose is to protect the personal information of California residents (“employees”).’”
CPRA is the California Privacy Rights Act. It went into effect as of January 1, 2023, and its purpose is to protect the personal information of California residents (“consumers”). CPRA places requirements on businesses for collecting, sharing, or selling personal information.
CPRA is a modification of the California Consumer Protection Act (“CCPA), which has been in effect since January 1, 2020. So if your company has already been subject to the CCPA, CPRA most likely affects you.
What does CPRA mean?
“CPRA” stands for California Privacy Rights Act. The California Privacy Rights Act, or CPRA, is a privacy protection law voted in by California lawmakers in 2020. Its purpose is to protect the personal information of California residents (“consumers”).
When does CPRA go into effect?
CPRA went into effect on January 1, 2023, with a one-year look-back period and enforcement date July 1, 2023.
What does the CPRA do?
The CPRA strengthens the protection of personal information of consumers, acting as an update to the previous California Consumers Privacy Act (CCPA).
The CPRA increases the number of rights of California residents, and adds further requirements on businesses for collecting, sharing or selling that personal information. It continues to restrict the sale of personal information of minors by adding an opt-in requirement.
The CPRA also establishes a new government agency to enforce the laws, the California Privacy Protection Agency.
The CCPA rights include the right to disclosure, the right to deletion, the right of data portability and the right to object to the sale of their personal information. Now the CPRA added the right to correct inaccurate information, the right to opt out of the sharing of information, and the right to limit the processing of sensitive personal information.
Why this concerns you as an employer: When you hire and employ, you are collecting personal information by way of job applications, resumes, employment contracts and other documentation. When this involves California-based workers, it’s your legal responsibility to respect their rights in regards to disclosure, deletion, portability and sale of their information.
Who does the CPRA apply to?
CPRA places obligations on ‘businesses’ headquartered inside or outside of California, which collect personal information of California state residents and satisfy at least one of three conditions:
- Annual gross revenue of more than $25 million.
- Handling (buying, selling, sharing etc.) personal information of more than 100,000 CA-based consumers annually
- Gets at least 50% of annual revenue from selling or sharing CA consumers’ personal information.
Also CPRA covers “service provider”, which is defined as a for-profit entity that processes personal information for a business purpose. CPRA puts strict obligations to service providers as well, on their use of any personal information; and also adds a new category “third parties”, who are neither Business or Service providers.
Why this concerns you as an employer: The extent to which your business operates in California – particularly in terms of annual gross revenue and handling of candidate personal information – will determine the level to which compliance with CPRA is required.
What personal information is protected under this law?
Under CCPA, “personal information” refers to information that identifies, relates to, describes, and is linked to or associated with a consumer or household.
Under CPRA, additional information is protected, including sensitive personal information. Sensitive personal information under CPRA includes:
- Account log-in credentials like password, security, or access code
- Precise geolocation
- Racial or ethnic origin, religious belief, or union membership
- Contents of mail, email, or text
- Sex life or sexual orientation
- Genetic information
- Biometric information that can identify the consumer
- Medical data
Why this concerns you as an employer: Similarly to the employee’s right to privacy and protected characteristics, sensitive information related to any or all of the above falls under the guise of employee’s right to have their personal information remain confidential.
What are the main CCPA/CPRA requirements for businesses?
The main CCPA/CPRA requirements for businesses are:
1. Disclose collection
A business must inform consumers about how personal information is collected and used and how they can exercise their rights and choice.
2. Disclose collection of sensitive personal information
If a business collects sensitive personal information, it must disclose the categories collected or used and whether this information is sold or shared.
3. Disclose retention period
A business must also disclose the length of time it intends to retain each category of personal information, or at least the criteria used to determine this period
4. “Do Not Sell or Share My Personal Information”
A business must provide 2 or more methods for submitting requests to opt-out of selling or sharing personal information.
5. Enter into agreement with service providers
A business that collects personal information and sells or shares it with a third party or service provider must enter into an agreement.
6. Provide the right of deletion
A business must inform consumers of their right to request the deletion of their personal information the business has collected and comply with such a request
7. Provide the right to correct inaccurate information
A business must correct inaccurate personal information when it receives a consumer request.
8. “Limit the Use and Disclosure of Sensitive Personal Information”
A business must respect the request of a consumer to limit its use of the consumer’s sensitive personal information
9. Give consumers the opportunity to exercise their rights
For example, the business must provide two or more designated methods for consumers to submit requests. It must also include a “Do not sell or share my personal information” link on a prominent place of the website’s homepage.
This policy must include a description of a consumer’s privacy rights under CCPA and a link to the “Do not sell or share my personal information” page.
11. Comply with consumer requests
A business must comply with a verified consumer request within 45 days. If the business can’t comply for some reason, it must inform the consumer.
12. Respect consumers’ rights under CCPA/CPRA
This includes the right to access, the right to deletion, the right to data portability, the right to opt-in (for minors) and the right to opt-out.
13. Employee Training
The CPRA requires businesses to train their employees on the CCPA requirements.
Why this concerns you as an employer: Again, think about your employees and job applicants as ‘consumers’ and how any and all of the above requirements apply to you as a business.
Can a company refuse to comply with a consumer’s request?
Yes, under certain conditions. CCPA/CPRA obliges businesses to comply with consumer requests unless certain criteria are met.
For example, a business isn’t required to comply with a consumer’s request to delete their personal information if it’s “necessary for the business to maintain the consumer’s personal information”.
‘The law lists the criteria that make it “necessary” to keep a consumer’s information (e.g. to comply with a legal obligation, detect security incidents and more).
Why this concerns you as an employer: Your employees’ personal information may be ‘necessary’ for your business to succeed, for example, in terms of paychecks, benefits, contracts, and other information pertinent to the employee’s status in your company.
However, consult with legal to ensure that you are compliant in this area as to what personal information you can retain within the boundaries of the law.
Are there exceptions to this law?
There are no exceptions.
Initially, the CCPA provided a one-year exemption for businesses that collect and process personal information in the context of employment, (see Bill AB25), which was further extended till the end of 2022, as well for Business to Business communications (AB1355).
Is CCPA still in effect and what’s the difference between CCPA and GDPR?
CPRA only amends CCPA, so companies that have determined that are subject to the CCPA, still have to comply with all CCPA requirements.
For more information on CCPA or a comparison between CCPA and GDPR, read our in-depth guide to CCPA and CCPA vs. GDPR.
How to implement CCPA/CPRA
Each business might need to follow a tailored plan of action to achieve compliance with the CCPA, but generally, you could follow this CCPA compliance checklist, as best practise:
1. Read about the law yourself
If possible, read the actual CCPA/ CPRA law to see the requirements and collect questions you may have.
2. Consult with your attorney or legal counsel
Legal counsels can answer your questions and explain the requirements of the law, as well as any controversy around it.
3. Compare and contrast with other privacy laws
If you comply with other privacy laws (e.g. GDPR), or have complied already with the CCPA, see if there’s any overlap in the requirements – it’s possible that you already comply with some aspects of California’s privacy legislation.
4. Create a plan for CPRA compliance
What are the consequences of violating this law?
Under CCPA, each business has 30 days to cure violations and inform consumers that they have done so. After these 30 days, if the business still doesn’t comply, it can receive a fine from $2,500 for each violation, or $7,500 for each violation relating to consumers that are minors (under 16 years of age).
The business may also need to pay $100 to $750 per consumer per incident or actual damages, following civil action.
Important note: This article is meant to provide general guidelines and should be used as a reference. It’s not a legal document and doesn’t provide legal advice. Neither the author nor Workable will assume any legal liability that may arise from the use of this article. Always consult your attorney on matters of compliance with each law.