More than two years after California voters passed a law amending the state’s landmark privacy rights statute, new regulations implementing the law finally took effect last week – but unfortunately leave four key questions for employers unanswered. And while the agency charged with regulating the law is working to develop further guidance for employers, there will no doubt be a period of turbulence in California workplaces until it is finalized later this year. What four questions do employers still have after this latest development, and what should they do in the meantime?

Quick Background

The California Privacy Rights Act (CPRA) was passed by California voters in November 2020, amending the landmark California Consumer Privacy Act (CCPA). Most of the new consumer rights contained in the new law became effective this January 1, including new rights for employees and job applicants of covered employers.

The amendments passed by voters also established a new enforcement agency – the California Privacy Protection Agency (CPPA) – which last spring proposed a set of regulations that just took effect last week. While they are supposed to be a comprehensive set of instructions and guidance on how to implement the law, they leave much to be desired when it comes to workplace rights and responsibilities.

4 Big Questions Unanswered

While the regulations might provide businesses a bit of helpful guidance for compliance, they leave open many questions – especially since the agency in charge neglected to provide employers with any guidance on how any of the rules apply in the employment context. Employers attempting to make sense out of the 60+ pages of text will find literally nothing answering four key questions:

1. How should employers respond to consumer requests from employees and job applicants? This is starkly different than the situation facing a consumer-facing business responding to requests from its customers, a topic covered in depth in the regulations.
2. How should employers handle cybersecurity audits?
3. What should employers do about risk assessments?
4. How can employers use automated decision-making in a way that doesn’t run afoul of the state privacy law?

While the CPPA is currently engaged in additional rulemaking on topics 2, 3, and 4 and additional regulations on these three topics are expected later this year, it is unlikely that the agency will address the first topic any time soon.

What Should Employers Do in the Meantime?

Businesses subject to the CCPA should take immediate action to comply with the new regulations, as non-compliance is a violation of the CCPA and leaves businesses vulnerable to penalties and potential legal action. We have developed a seven-point plan that you can follow in order to make sure you are in the best position to comply.

Additionally, California consumers will soon be able to file complaints with the state agency for alleged CCPA violations starting on July 1. Not all businesses are subject to the law. Click here for our helpful guide on whether the law even applies to your business.