This fall, Governor Gavin Newsom signed a slew of employment legislation into law that all takes effect January 1, 2023. However, while the California Privacy Rights Act (CPRA) became law in 2020, it also takes effect on the first day of the new year and affects how employers handle employee personal data.
The CPRA expanded the California Consumer Privacy Act (CCPA), and while employers were previously exempted from complying with the laws for employees, job applicants, or contractors, this exemption expires with the end of this year.
Now employers need to ensure that they are in full compliance with the CPRA in 2023. Government enforcement of its provisions is set to begin July 1, 2023.
One important exception for employers is that CPRA only applies to employees who are residents of California. And not all companies meet the threshold for CPRA, which we discuss below.
For employees, job applicants and contractors who are residents of California, employers legally must fulfill the following requirements regarding employee, applicant and contractor personal information:
- Provide notice to employees, job applicants and contractors at the time the employer collects private information that explains what kind of information is collected and how it will be used.
- Respond to employee requests to exercise their rights under CPRA, which include:
- The right to correct inaccuracies in personal information collected.
- The right to opt-out of sharing personal information.
- The right to limit the use and disclosure of sensitive personal information. “Sensitive personal information” includes social security, driver’s license, passport and financial account numbers, which the CPRA limits the right of businesses to collect, use and share.
- The right to non-discrimination for exercising rights.
- The right to know what personal information is collected.
- The right to delete personal information.
- Inform employees, applicants and contractors of the company’s data retention policy. Companies may only keep data for as long as is “reasonably necessary.”
How Employers Can Prepare for the California Privacy Rights Act
The CPRA provides all the protections given to consumers under the CCPA to employees, so to ensure that your company is in compliance, consulting with an attorney specializing in employment law is a smart first step.
To be in compliance, employers should first assess whether the CPRA thresholds apply to their company:
- You have at least $25 million of annual gross revenue.
- You buy, sell, share or receive the personal information or data of 100,000 or more California residents.
- You receive over half of your revenue from the sale of personal data of California residents.
If your company is required to follow the CPRA, then you must:
- Identify the personal information collected for employees, applicants and contractors.
- Create a employee, applicant and contractor privacy notice.
- Develop internal policies and procedures to handle data requests from employees, applicants and contractors.
Penalties for violating the CPRA can add up quick. Fines range from $2,500 per violation to $7,500 per intentional violation or for any violation against minors. Additionally, companies can’t avoid penalties by addressing the violations within 30 days of being notified by the Attorney General of the violation, a provision previously contained in CCPR.
The legal landscape for employers is complicated and ever-changing, so having an expert employment attorney on your side can make the difference between compliance and being in violation.
LawPLA is here to guide you through the necessary steps for CPRA compliance. We are ready to defend you against alleged violations. Just contact either of our Los Angeles offices or visit our website to schedule a consultation. We are on your side.