On June 28, 2018, then California Governor Jerry Brown signed into law the California Consumer Privacy Act (CCPA). The CCPA provided significant privacy rights and protections to California consumers and placed numerous obligations on California businesses regarding the collection and sale of personal information belonging to California consumers. While the CCPA constituted a significant change for California businesses, its effect on California employers was limited. Specifically, the CCPA essentially only required most California employers to (1) provide notices when they collected personal information from their employees and (2) protect any collected personal information.
All of that changed in 2020 when California voters approved the California Privacy Rights Act (CPRA). The CPRA expands the CCPA and, for the first time, places significant obligations on California employers, which obligations go into effect on January 1, 2023.
The CPRA provides consumers (which includes employees and job applicants) with five basic rights:
- Right to know what personal information is collected
- Right to know what personal information is sold and/or shared
- Right to request that businesses delete their personal information
- Right to request that businesses correct any incorrect personal information
- Right to opt out of selling and/or sharing their personal information
A few things for California employers to keep in mind:
First, the CPRA generally only applies to California businesses that collect the personal information of consumers and that either (1) had annual gross revenues in excess of $25,000,000 in the preceding calendar year, (2) buy, sell, or share the personal information of 100,000 or more consumers, or (3) derive 50% or more of their annual revenues from selling or sharing consumers’ personal information.
Second, and beginning January 1, 2023, the more onerous duties contained in the CPRA will apply to employers who collect personal information from their employees and job applicants.
Third, failure to comply with the CPRA could result in enforcement actions being brought against employers by the California Privacy Protection Agency, the Attorney General, any District Attorney in any county in California, and the City Attorneys in the four largest cities in the state.
Based on this, California employers are strongly advised to immediately take steps to ensure they can comply by the January 1, 2023 deadline. These steps should include (1) determining what personal information they are collecting from their employees and applicants and the reasons for such collection, (2) determining if they are selling or sharing any collected personal information (as those phrases are defined in the CPRA), and (3) preparing privacy policies and notices to post on their website, distribute to their current employees, and/or incorporate into their job application materials.