In a notable event on Election Day this November, California voters approved amendments to the California Consumer Privacy Act (CCPA) and enacted a new statute – the California Privacy Rights Act (CPRA). The new statute expands California residents’ rights with respect to how businesses collect and use personal information. For instance, the new law expands an individual’s ability to control personal information by opting out of sharing information with third parties like online advertisers, and consumers will now have the ability to correct personal data that was previously collected by companies.
The new statute also establishes the California Privacy Protection Agency, a new regulatory body tasked with enforcing California’s privacy laws, a job that had previously been left to the state’s attorney general. The California Privacy Protection Agency will be the first state regulator in the country whose sole purpose is the implementation and enforcement of state data-privacy laws.
California’s privacy laws were already the most stringent in the United States even before this new statute. For instance, the CCPA already requires covered businesses who have employees in California to create and maintain an employee information privacy policy. The policy must safeguard the confidential information of covered businesses’ employees and job candidates, and the businesses must provide notice to their employees and job candidates in California before collecting their personal information. (The requirements do not apply to background checks conducted by a consumer-reporting agency at the request of an employer in accordance with the Fair Credit Reporting Act.)
The privacy notice must identify (a) the personal information the employer collects, and (b) the purposes for which the information is collected. The CCPA also prohibits employers from using employees’ and job candidates’ confidential information for purposes other than those set forth in the privacy policy. Covered businesses must provide employees and job candidates with a copy of or link to the privacy policy. In reaction to the COVID-19 pandemic, the CCPA also requires company policies to include details about health screenings and temperature checks.
Although no other state currently has a law as stringent as California’s CCPA or CPRA, 30 or more states have legislation in the works that contain at least some of the same requirements. As such, businesses should consider employee privacy policies now to comply with the CCPA even if they currently have no employees in California, since other states are likely to enact similar statutory requirements that mimic those of the CCPA.
Businesses should also implement a written information security program (known as a “WISP”). That is because, since 2010, the state of Massachusetts has required every business that owns or licenses personal information about a Massachusetts resident to develop, implement, and maintain a comprehensive and written information security program. The WISP must contain appropriate administrative, technical, and physical safeguards to protect personal information.
No enforcement actions have been filed to date, but we have seen recent evidence that the Massachusetts Attorney General may be gearing up to enforce this requirement. Indeed, Massachusetts requires all businesses that make the required report of a data breach to the attorney general to also indicate whether the business has a WISP. Given that many companies may own, license, or make use of personal information about Massachusetts residents, whether because the company has employees or customers in Massachusetts, and given that other states may at some point soon also require WISPs, we advise businesses to develop a WISP now.
The best time to review your privacy policies and procedures is before you are faced with a data breach that invites scrutiny from state regulators or a state regulatory enforcement action.