Privacy under California Consumer Privacy Act
Q I heard that there is a new privacy law that applies to employers. How do I know if this applies to my business, and if it does, how do I comply with the new law?
A The privacy law is not entirely new, but some of the privacy provisions in the law just became effective on Jan. 1. However, back in November 2020, California voters approved Proposition 24, the California Privacy Rights Act, which added additional privacy protections to an existing privacy law. The CPRA is lengthy and confusing, but the three main obligations for employers are:
Post a detailed privacy policy about how the employer handles private employee data. Generally, this requires employers to provide employees with a notice of their rights under the CPRA and provide employees a means to ask about how to exercise these rights.
Comply with new employee rights regarding private employee data. Generally, employees may request that the employer disclose to them the personal information collected on them and/or request that this information be deleted or corrected. Employees may direct the employer not to sell or share their personal information and each employee has the right to limit the use of sensitive personal information. Moreover, employees have the right to access personal information and to know what personal information is sold or shared and to whom.
Include specific CPRA provisions in contracts with vendors that handle private employee data.
The first question employers should ask is whether the CPRA applies to them. With some limited exceptions, employers must comply with the CPRA if they satisfy at least one of the following three criteria:
(1) have annual gross revenues in excess of $25 million;
(2) derive at least half of their annual revenues from selling consumers' personal information or
(3) handle, buy, share or sell personal information belonging to at least 100,000 California residents annually.
Although the law covers large employers, even some small businesses might find themselves covered by the CCPA if they collect information about who is using their websites. For example, a small business that has a website with an average of 274 unique visits per day and collects data about the devices or consumers who are accessing the site will likely be “handling” or “sharing” the personal information of 100,000 California residents annually, and therefore be covered by the CPRA.
Employers who are covered under the CPRA should act quickly to comply with its provisions. Last month, the California Privacy Protection Agency submitted its proposed final regulations for the CPRA to the Office
of Administrative Law for a final review. It is anticipated that these final regulations will be approved and become effective in April 2023, with a projected enforcement date of July 1, 2023. Beginning on the July 1, 2023, enforcement date, penalties for noncompliance with the CPRA could be significant and can be levied with or without a cure period.
Employers who have California employees should consult their privacy and/or labor and employment counsel to ensure they remain up to date on the CPRA and its changing privacy rules.
Sara Boyns is a lawyer with Fenton & Keller in Monterey. This column is intended to answer questions of general interest and should not be construed as legal advice. Email queries to email@ fentonkeller.com.