Colorado’s and Virginia’s emulation of California by recently enacting comprehensive privacy laws is an important reminder to California employers that the clock is ticking to comply with California’s new privacy regulations. California employers should be aware that the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), which amended portions of the CCPA bringing it closer to the rules governing privacy rights in Europe, have significant implications about protection of employee data in addition to consumer data.
Criteria for Covered Employers
The good news is that the CPRA amended the CCPA to reduce the number of employers who must comply and to extend the exemption period from CCPA compliance for employment and business-to-business data until January 1, 2023. Starting in January 2023, the California’s privacy laws will apply to organizations that:
- Maintain annual gross revenues in excess of $25 million in the preceding calendar year;
- Buy, sell, or share personal information of 100,000 or more California consumers or households (compared to the 50,000 or more under the CCPA); or
- Derive 50 percent or more of their annual revenue from selling or sharing California consumers’ personal information.
As employers, it is important to assess these measurements promptly to prepare for 2023.
“Personal Information” Defined
Unfortunately for employers, the CPRA expanded the definition of employee “personal information,” to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular employee. This includes a plethora of information such as name, contact information, protected classification (marital status, race, sexual orientation), financial or medical information, religious beliefs, union membership, internet or electronic network activity information, professional or employment-related information, education information, and more. To make matters more complicated, the contents of an employees’ email, mail, and private messages are considered sensitive personal information as a new sub-category of “personal information,” unless the employer is the intended recipient of the communication.
Notice and Data Mapping
Implementing and complying with privacy laws takes time, so employers need to begin this process now. As a starter, employers must give employees notice about “personal information” that is collected, including the collection of COVID-19 vaccination information. The mandatory data-mapping process, creating a map of how data is managed and stored in your organization, is involved and time-consuming. Covered employers need to know where personal information comes from, where it is located, how data is stored, and take security measures to maintain the data safely. Depending on your organization, this process may require outside consultants or a dedicated in-house team.
The CPRA created the California Privacy Protection Agency (CPPA) with powers to make rules, investigate, and enforce the CPRA. The CPRA eliminated the current 30-day cure period from the CCPA after notice from the California Attorney General of alleged violations and increased the maximum penalties. While the CCPA created a private right of action after personal information that was not reasonably protected is disclosed or hacked that is currently the foundation for numerous class action lawsuits, the CPRA’s expansion of the definition of “personal information” to include sensitive personal information will only expand the likelihood that plaintiffs’ lawyers will commence unwelcome lawsuits alleging that personal information was not properly secured.
Mark Your Calendar
There is no doubt that complying with the CCPA/CPRA is a beast. Therefore, California employers should watch out for several important deadlines:
- January 1, 2022 – Obligation to respond to personal information requests commences.
- July 1, 2022 – Deadline for final CPRA regulations to be adopted by the CPPA.
- January 1, 2023 – CPRA enters into full force.
- July 1, 2023 – Enforcement of the CPRA begins under the CPPA.
Early Preparation is Wise
While this may appear to be overwhelming, California employers that start preparing now to understand how and to what extent the CCPA and CPRA affect their organization will have sufficient time to get into compliance without undue concern.