You may recall that the California Privacy Rights Act (CPRA) amendments (Cal. Civ. Code § 1798.100 et seq.) went into effect January 1, 2023, but enforcement was delayed until March 29, 2024. Employers with the requisite contacts with California consumers (which is defined in an extremely broad manner) will be required to provide employees with extensive privacy notices, respond to requests to exercise new data rights, limit uses and disclosures of HR data, and obtain contractual commitments from third-party recipients of personal information.
The CPRA amendments apply to any business with worldwide gross annual revenue of $25 million or more that collects personal information from any California consumer, which includes a service provider, an employee, a job applicant or an investor, for example. All entities that share common branding will be subject to the CPRA requirements if even one of those entities meet the requisite standards.
Generally, when the employer is subject to CPRA, its employees (and service providers, job applicants, investors, etc.) have six data rights:
1. The Right to Delete
2. The Right to Correct
3. The Right to Know
4. The Right to Restrict the Use of Sensitive Personal Information
5. The Right to Opt-Out of the Sale or Sharing of their Personal Information
6. The Right to Not Be Retaliated for Exercising these Rights
Each of these general rights are subject to detailed requirements and exceptions that must be carefully considered and addressed by employers, who must give appropriate notification to employees. Employers’ data subject to the CPRA includes only information collected on or after January 1, 2022. Given the suspended enforcement, it is presently uncertain whether employers will be expected to be in compliance through a “look back” period that could apply as early as the enactment date of January 1, 2023, or whether employers will be given a pass on compliance until the enforcement stay expires on March 29, 2024. In any event, employers who may be subject to the amended CPRA would be well advised to start their compliance efforts as soon as possible, and should contact qualified counsel to guide their efforts.