This article is part of our 2022 Labor & Employment New Year Roundup.
These days, most businesses collect and store consumer data, and nearly all businesses maintain employee data. If your business does either (or both), you should be aware of new obligations imposed by recent legislation.
Below is a summary of California's recent legislation and what the legislation means for California businesses and employers.
Effective January 1, 2020, the California Consumer Privacy Act (CCPA) created numerous privacy rights for consumers, and business obligations for companies. In late 2020, California voters approved Proposition 24, known as The California Privacy Rights Act (CPRA), which amended the CCPA, expanding some of the CCPA's consumer protections and therefore expanding business' obligations.
The CPRA applies to:
- A company whose gross annual revenue exceeds $25,000,000
- A company that buys, sells and/or shares personal information of 100,000 or more California residents or households
- A company that derives 50 percent or more of its annual revenue from selling or sharing consumers' personal information
Non-profit companies are generally not covered by the CPRA. A company that is not otherwise covered by the CPRA may become covered if it contracts with a company that is covered and it receives consumers' personal information from the covered company.
Changes That May Impact Your Business
If the CPRA applies to your business, you must note the following changes:
- The CCPA exempted employees, job applicants, owners, directors, officers and contractors of a company from the definition of "consumer." The CPRA eliminates that exemption.
- The CCPA requires that every company inform consumers of the categories of personal information the company gathers, and the purposes for which the information will be used. The CPRA adds a definition for "sensitive personal information," and requires each company to inform consumers which sensitive personal information it gathers, as well as the purposes for which that information will be used.
- The CPRA adds a requirement for each company to inform consumers about the length of time the company intends to retain each category of personal information, including sensitive personal information; if that is not possible, the company is required to inform consumers how the retention period for personal information is determined.
- The CPRA adds a requirement that each company must inform consumers whether personal information, including sensitive personal information, is sold.
- The CPRA adds a requirement for each company to conduct an annual cyber security audit, and must submit a risk assessment to the California Privacy Protection Agency. We anticipate that the California Privacy Protection Agency will issue guidance regarding the contours of the audit and risk assessment.
- The CPRA permits civil lawsuits against companies that fail to take reasonable and appropriate security measures to protect personal information. Personal information includes email addresses in combination with a password or security question that would permit access to the account. The potential damages include monetary damages that are not less than $100 and not more than $750 per consumer, per incident, or actual damages, whichever is greater.
Employee Privacy Rights and Employer Compliance
Many of the CPRA's provisions become effective on January 1, 2023, but those provisions will not be enforced until July 1, 2023. Previously employees, job applicants, owners, directors, officers and contractors were excluded from the definition of "consumer," and they had limited rights under the CCPA. However, companies must disclose the following rights to them:
- The right to delete personal information, subject to certain exceptions
- The right to correct inaccurate personal information
- The right to access personal information
- The right to know what personal information is sold or shared, and to whom
- The right to opt out of sale or sharing of personal information
- The right to limit the use and disclosure of sensitive personal information
- The right to be free of retaliation for exercising their rights under the law
Additionally, companies must take the following steps to ensure compliance with the law:
- Companies must create processes and policies to ensure that their employees, applicants, owners, directors, officers and contractors are able to assert their rights. This will include gathering and organizing all personal information, including sensitive personal information, for those categories of persons, and training personnel to handle requests to assert CPRA rights.
- Companies must create or revise notices and privacy policies to conform with the CPRA.
- Companies must ensure that consumer personal information is safe and secure. As part of that process, companies must conduct an annual audit of their cyber security measures and must prepare and provide an annual risk assessment to provide the California Privacy Protection Agency. While the precise requirements for the audit and risk assessment are not currently known, it behooves companies to take these issues seriously, as the damages (both monetarily and reputational) can be severe.
What this means for employers: Companies subject to the CPRA's requirements will face additional administrative complexities and costs even if they were already complying with the CCPA, as they must revise their policies and their privacy notices pursuant to the changes and prepare themselves to comply with new obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.