Private equity transactions refer to investments (and the sale or disposition of those investments) made by pooled investment vehicles (a private equity fund, venture fund, or other group of institutional...
Commercial Property Assessed Clean Energy (C-PACE) financing provides borrowers access to additional capital for constructing energy-efficient improvements. Private lenders offer C-PACE financing in most...
In the United States, federal and state banking laws and the regulations promulgated by federal and state banking regulators provide a comprehensive system that regulates and supervises the activities...
Learn about the litigation process set up by the Biologics Price Competition and Innovation Act (BPCIA) to facilitate resolution of patent disputes between reference product sponsors and biosimilar manufacturers...
Do you need to understand child labor law compliance best practices in light of recent developments in this area of the law spearheaded by Congress, the Department of Labor, and other federal and state...
By Kevin Hylton | LexisNexis Practical Guidance
The voters of California once again laid the foundation for a new compliance challenge for companies when they passed Proposition 24 back in 2020. This initiative, the California Privacy Rights Act (CPRA), expands California’s landmark consumer privacy law to establish even broader consumer protections and impose greater penalties on businesses that fail to comply.
The CPRA becomes fully operative on January 1, 2023, but it applies to personal data collected on or after January 1, 2022, so in essence there are a number of key provisions that have already taken effect. And importantly, it cannot be repealed by the state legislature.
One of the curious provisions of the new law is the creation of the California Privacy Protection Agency, a five-member panel that will oversee enforcement of the statute. The CPRA may be enforced beginning on July 1, 2023 — and only as to violations that occur on or after that date — but the practical reality is that implementation is running behind the schedule outlined in the law, which was passed by 56% of California voters.
“The deadline for promulgating regulations as set out under the CPRA has long passed, which means businesses are eager to receive finalized rules,” Law360 reported on Nov. 23, 2022. “In light of the Office of Administrative Law’s 30-day review period, the soonest companies will likely receive finalized regulations is at the end of January or February. However, depending on what transpires during the comment period and the following activity, this timeline may be further delayed.”
Regardless of the precise date of implementation and enforcement, the CPRA is a sweeping new law that will have important implications for any organization doing business in California. It allows consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ usage of sensitive personal information (e.g., geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information).
For employers, here is the troubling part: There is no exception made to data collected and stored for purposes of human resources management.
“The CPRA is a data privacy law that was written with the consumer in mind, but it applies very awkwardly to employers,” said Zoe M. Argento, shareholder at Littler, where she is co-chair of the firm’s Privacy and Data Security Practice Group. Argento represents and counsels clients on all aspects of workplace privacy and information security.
The CPRA applies to any organization that has one or more employees in California if the company made more than $25 million in revenue globally during the previous calendar year. It does not apply to non-profit organizations or government entities.
“In the U.S., employers have not had to deal with a comprehensive data privacy law like this before,” explained Argento. “For example, the existing California Consumer Privacy Act exempts HR-related data, except for certain circumstances such as data breaches. The CPRA now requires several elements of comprehensive protection of HR data, which is very burdensome and a lot of work for businesses.”
Argento identified some of the key requirements in the CPRA that employers need to understand:
“HR departments are handling a lot of sensitive information and very disparate types of information — everything from performance valuations and tax information to benefits and health data — and they’re already subject to a lot of demanding requirements for handling data in the HR context,” Argento said. “So the CPRA is really overlaying another demanding data regime on top of what is already a very complicated process for handling employee data.”
The CPRA does not apply to employees within an organization who do not work in California, but many legal observers are suggesting it might be wise to consider implementing a privacy policy that complies with the CPRA “since other states may follow California’s lead and pass employee data privacy legislation of their own,” according to ADP's HR blog.
I had the privilege of interviewing Argento on the latest episode of our “Practical Guidance: Data Privacy Series” podcast, where we invite experts to provide insights on timely data privacy and security issues facing legal practitioners. Listen now or download the episode regarding the employers who need to comply with the CPRA, what that compliance looks like, and a host of other pressing issues related to the CPRA.