Getting to Know the California Privacy Rights Act

By Kevin Hylton | LexisNexis Practical Guidance

The voters of California once again laid the foundation for a new compliance challenge for companies when they passed Proposition 24 back in 2020. This initiative, the California Privacy Rights Act (CPRA), expands California’s landmark consumer privacy law to establish even broader consumer protections and impose greater penalties on businesses that fail to comply.

The CPRA becomes fully operative on January 1, 2023, but it applies to personal data collected on or after January 1, 2022, so in essence there are a number of key provisions that have already taken effect. And importantly, it cannot be repealed by the state legislature.

One of the curious provisions of the new law is the creation of the California Privacy Protection Agency, a five-member panel that will oversee enforcement of the statute. The CPRA may be enforced beginning on July 1, 2023 — and only as to violations that occur on or after that date — but the practical reality is that implementation is running behind the schedule outlined in the law, which was passed by 56% of California voters.

“The deadline for promulgating regulations as set out under the CPRA has long passed, which means businesses are eager to receive finalized rules,” Law360 reported on Nov. 23, 2022. “In light of the Office of Administrative Law’s 30-day review period, the soonest companies will likely receive finalized regulations is at the end of January or February. However, depending on what transpires during the comment period and the following activity, this timeline may be further delayed.”

Regardless of the precise date of implementation and enforcement, the CPRA is a sweeping new law that will have important implications for any organization doing business in California. It allows consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ usage of sensitive personal information (e.g., geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information).

For employers, here is the troubling part: There is no exception made to data collected and stored for purposes of human resources management.

“The CPRA is a data privacy law that was written with the consumer in mind, but it applies very awkwardly to employers,” said Zoe M. Argento, shareholder at Littler, where she is co-chair of the firm’s Privacy and Data Security Practice Group. Argento represents and counsels clients on all aspects of workplace privacy and information security.

The CPRA applies to any organization that has one or more employees in California if the company made more than $25 million in revenue globally during the previous calendar year. It does not apply to non-profit organizations or government entities.

“In the U.S., employers have not had to deal with a comprehensive data privacy law like this before,” explained Argento. “For example, the existing California Consumer Privacy Act exempts HR-related data, except for certain circumstances such as data breaches. The CPRA now requires several elements of comprehensive protection of HR data, which is very burdensome and a lot of work for businesses.”

Argento identified some of the key requirements in the CPRA that employers need to understand:

• Notice — a very robust requirement that includes the categories of personal information collected by the company and how it is used;
• Retention — disclosure of how long the business will keep the personal information and the data retention schedule it will follow;
• Proportionality — information can only be collected and retained “as reasonably necessary” to accomplish the purpose for which it was collected, then it must be purged from the company’s systems;
• Vendor Contracting — companies must ensure that all vendors who handle personal information pertaining to California residents have reviewed and signed a CPRA requirements agreement;
• Data Rights — all individuals covered under the law now have the rights to know, correct, obtain copies and delete personal data handled by their employers;
• Data Security — all companies must implement and maintain reasonable data security protocols; and
• Training — those who handle personal information for a company must be made aware of the CPRA requirements for data privacy.

“HR departments are handling a lot of sensitive information and very disparate types of information — everything from performance valuations and tax information to benefits and health data — and they’re already subject to a lot of demanding requirements for handling data in the HR context,” Argento said. “So the CPRA is really overlaying another demanding data regime on top of what is already a very complicated process for handling employee data.”

The CPRA does not apply to employees within an organization who do not work in California, but many legal observers are suggesting it might be wise to consider implementing a privacy policy that complies with the CPRA “since other states may follow California’s lead and pass employee data privacy legislation of their own,” according to ADP's HR blog.

I had the privilege of interviewing Argento on the latest episode of our “Practical Guidance: Data Privacy Series” podcast, where we invite experts to provide insights on timely data privacy and security issues facing legal practitioners. Listen now or download the episode regarding the employers who need to comply with the CPRA, what that compliance looks like, and a host of other pressing issues related to the CPRA.