With the new year underway, and enforcement looming, it is more important than ever to ensure your organization is compliant with the California Privacy Rights Act (CPRA)—the amendment to the California Consumer Privacy Act (CCPA).
To help get you there, we have a few reminders and tips:
Covered Employers
While not every employer is required to comply, the CPRA requires compliance for many employers. As a reminder, a covered employer is an organization that:
- Maintains annual gross revenues in excess of $25 million in the preceding calendar year;
- Buys, sells, or shares personal information of 100,000 or more California consumers or households; or
- Derives 50 percent or more of its annual revenue from selling or sharing California consumers’ personal information.
Any employer with California employees should consult with counsel to evaluate the above criteria to determine whether their organization qualifies as a “covered employer”.
Enforcement of New Regulations
Last year, the California Chamber of Commerce successfully delayed enforcement of the new CPRA regulations that were issued on March 29, 2023. Nonetheless, the California Privacy Protection Agency (Agency) is allowed to commence enforcement starting March 29, 2024. Some regulations may already be enforceable.
Compliance Tips
A few action items toward compliance with the CPRA:
- Be Prepared: Get your team ready to respond to requests from employees about their personal information by conducting training and developing processes.
- Give Notice: Give Notice to all Applicants/Employees before or at the time you collect their personal information. The Notice’s goal is to inform employees and applicants of what information is collected, how it is used, and the rights that they have.
- Update Your Handbook: While you may already be updating your handbook to account for 2024’s new California labor laws, make sure that you have a compliant privacy policy in place that belongs in your employee handbook.
- Map Out Data: Full compliance requires employers to track where personal information data “lives”. It is important for employers to have their processes in place for data mapping.
As always, our Privacy Practice Group will continue to monitor developments related to the CCPA, the CPRA and the Agency’s enforcement actions.