California Privacy Rights Act

Alert
 | ⏱ 3 minute read

Eyes on people, spying on them.

Roll with The Changes
If there is one thing that never changes for employers in California, it’s the need to keep up with frequent changes to the legal compliance landscape. The courts give us a moving target throughout the year with their decisions, which is challenging enough, but predictably our legislature heaps on more at the end of every year to ensure our holiday season respite is short lived as we are required to focus on implementation compliance for the new year. There are several new laws which go into effect January 1, 2023. O’Hagan Meyer is at your service to assist with any compliance questions, best practices policies and procedures.

California Privacy Rights Act
The California Consumer Privacy Act (CCPA) has been around for several years, but until now has specifically exempted personal information of consumers who are acting as a job applicant, employee, owner, director, medical staff member, or contractor of the business collecting their information. However, effective January 1, 2023, that exemption no longer exists based on the new California Privacy Rights Act (CPRA), which specifically eliminates the employer exemption. Therefore, employers must now consider compliance with both CCPA and CPRA as it relates to existing and prospective employee’s personal information.
Here are the key highlights.

What Personal Information is Covered?
The CPRA indicates “Sensitive Personal Information” includes anything that reveals an individual’s personal information, such as Social Security number, driver’s license number, state identification card, or passport number, log in information allowing access to any financial account, including account log in, debit card, or credit card number in combination with any required security or access code, password, racial or ethnic origin, religious or philosophical beliefs, union membership status and precise geolocation. This is not intended as an exhaustive list; but rather examples identified in the statute.

Notice of Collection
Businesses are already required under the CCPA to communicate to prospective and existing employees a notice of collection, the types of personal information collected and for what it will be used. These notices should be updated, or created if not in current use, to comply with the additional notice requirements, including information about rights to review, the right to delete, the right to correct, the right to non-discrimination for exercising rights and the right to opt out of the sale of personal information and retention periods, and the right to limit the use and disclosure of sensitive personal information.

Business to Business Transactions
The CPRA covers contracts and interactions with outside vendors used by employers which handle employee personal information, such as payroll and benefits management companies. An employer can be held liable for breaches by these vendors when they knew, or should have known, they were out of compliance resulting in a prohibited breach.

Conclusion
As if we don’t have enough already, the CPRA creates a new State administrative agency, the California Privacy Protection Agency, which will be responsible for enforcement and interpretive regulations. As always, the courts will add their two cents going forward. In the meantime, as January 1, 2023 quickly approaches, it is critical that businesses with employees in CA review existing personal information protocols and make appropriate adjustments. Employers must respond fairly quickly to any request by an existing, prior or prospective employee to exercise their newfound rights, so it is critical to plan ahead.

Related Capabilities

Jump to Page

O'Hagan Meyer Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek