What Does California Privacy Rights Act Mean for Employers?

California Privacy Rights Act for Employers

The new California consumer privacy law – California Privacy Rights Act (CPRA) – garnered 56.1% of the state vote on November 3, 2020 and was officially certified on December 16, 2020. Although most of the CPRA provisions will not become operative until January 1, 2023, some of its provisions applicable to employers have an immediate effect. Here is what has changed and how employers can meet new requirements with Clarip’s help.

Existing CCPA Employee Information Exemptions Are Nullified

Before the CPRA became effective, employers doing business in California were required to provide “at collection” notices to employees pursuant to Cal. Civ. Code §1798.100(b). Employers were also subject to the CCPA private right of action provisions of Section 1795.150. However, all other CCPA requirements regarding employee personal information were delayed until January 1, 2021.

In October 2020, the California Legislature extended the delay for another year until January 1, 2022. However, upon the passage of the CPRA, the existing CCPA employee information exemptions have been effectively nullified.

Key CPRA Provisions Regarding Employee Personal Information

The CPRA itself contains a provision which delays the applicability of the privacy law to personal information collected by a business about a job applicant, employee, or independent contractor until January 1, 2023. However, any further delays are extremely unlikely at this point. Thus, if they have not done so already, businesses must start preparing to extend all rights granted by the CCPA and CPRA – including rights to know and access personal information, delete and correct personal information, and to opt out of its sale and sharing – to their employees, applicants, and independent contractors.

Furthermore, under the amended Cal. Civ. Code §1798.145(m)(3), there are two exceptions to the January 1, 2023 extension — which means the following two provisions became effective on December 16, 2020:

Civ. Code §1798.100(a) requires businesses to issue the expanded “at collection notices”; and

Civ. Code §1798.150 provides individuals with a private right of action against businesses for specified security breaches.

Thus, it appears that employers are now required to provide the expanded “at collection” privacy notices to applicants, employees, or independent contractors and are subject to the amended private right of action provision, which includes a newly added right to sue businesses for failure to protect email addresses along with account access information.

Shifting Leverage at the Workplace Privacy Domain

Along with the expansion of employees’ rights and employers’ obligations, the CPRA establishes a new privacy regulator, the California Privacy Protection Agency, which will play an important role in the workplace privacy domain. As Clarip discussed in its recent post, the new agency will have full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act, as amended by the CPRA. Among its many responsibilities will be to provide guidance to consumers and employees regarding their privacy rights, as well as guidance to businesses regarding their duties and responsibilities under the privacy law.

CCPA / CPRA / GDPR Compliance made easy!

Powerful consent and preference management technology. Personalized marketing via intuitive forms across multiple channels. Capture consent and maintain audit trail.
Data Risk Intelligence. In-depth analysis of cookies, beacons and tags and vendor data flows. Uncover risks and implement controls.
Automated Data Mapping. Tedious / error-prone manual data mapping using surveys is a thing of the past! Auto scan thousands of data sources and identify PII.
Individual Rights. Fully automated data rights fulfillment software means less work for your team. Collect, respond and manage DSR requests automatically.
Privacy Center. Simplified privacy notices demonstrate clarity and transparency, and offers a better user experience to your customers.