Introduction: Earlier this year, California’s new consumer privacy law (CCPA) went into effect, and strict state enforcement began on July 1. Since its enactment, the CCPA has undergone several amendments because the plain meaning of the law’s text was not clear. Employers affected by the CCPA had to revisit their workplace policies and business practices and swiftly implement necessary changes to afford consumers with additional rights and protections relating to the collection, sale, and use of personal information. For the upcoming November ballot, a new measure, also known as the California Privacy Rights Act (CPRA), will be introduced. This new measure amends the CCPA and provides stronger privacy rights to California residents, including employees.
Effective Date: If the CPRA is passed, it will go into effect starting on January 1, 2023, except certain provisions relating to funding and the establishment of a new government agency will take effect immediately.
Which Businesses Are Covered? Presently, the CCPA applies to for-profit businesses that collect personal data of consumers/employees, do business in California, and satisfy one of three criteria. The CPRA modifies the criteria for covered businesses and extends coverage to businesses that share personal data, regardless of whether the business receives monetary compensation. Businesses will be covered by the CPRA if they meet one of the following criteria:
- Businesses that have gross annual revenue in excess of $25 million, which is based on the annual gross revenue as of January 1 of the prior calendar year;
- Businesses, alone or in combination, that annually sell, buy, or share personal information of 100,000 or more consumers or households; or
- Businesses that derive 50 percent or more of their annual revenues from selling or sharing consumer personal data.
Additionally, the CPRA will apply to for-profit and/or non-profit businesses that are controlled by and share common branding with a covered business.
Summary of Key Changes: The following is a summary of a few key changes and additions that the CPRA will impose if it is passed:
-
Establishment of New Agency: The CPRA will establish a new privacy protection agency to enforce the CPRA and to issue new rules and regulations, a role that currently is filled by the Attorney General. This agency will have authorization to audit businesses and perform regular risk assessments to ensure compliance with the CPRA.
-
New Category of Personal Information: The CPRA will add a new category of sensitive personal information and will afford it heightened protection. This includes protection for the following personal data: social security number, driver’s license information, financial account access information, payment information, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of communications (unless the business is the intended recipient), genetic data, biometric data process for identification purposes, health information, sex life, and sexual orientation.
-
Expansion to Sharing of Information: As briefly stated above, the CPRA also includes businesses that share personal information. “Sharing” is defined as providing information for “cross-context behavioral advertising, whether or not for monetary or other valuable considerations, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” As phrased, this may restrict online advertising networks to receive and/or use consumer personal data where a consumer has provided an opt-out.
-
Additional Rights: Consumers will have additional rights such as the ability to: correct their personal information, opt-out of advertisers using precise geolocation, receive information on length of data retention, and/or restrict usage of sensitive personal information. For instance, consumers will have the right to require a business to limit the use of sensitive personal information as necessary to perform the service or provide goods as reasonably expected by an average consumer who requests such goods or services.
-
Additional Notice Requirements: Businesses will be required to notify consumers of these new rights. Businesses may include a link on their website that allows consumers to limit the use of sensitive personal information.
-
Anti-Retaliation Provision: The CPRA will expand existing anti-discrimination rights under the law to prohibit retaliation against employees, applicants, and/or independent contractors that exercise their rights under this law.
-
Notice and Opportunity to Cure: The CPPA provides businesses an opportunity to cure after a consumer provides a 30 days’ notice. The CPRA limits this right and clarifies that the implementation and maintenance of reasonable security procedures and practices following a breach do not constitute a cure with respect to the breach, which could be defense under the current CCPA landscape.
-
Extended Exemption Period Concerning Employee Data: The CCPA currently provides exemptions for personnel/applicant data until the expiration date of January 1, 2021. The CPRA will extend this time period through January 1, 2023.
-
Expanded Deletion Rights: Unless an applicable exception applies, service providers and/or contractors that receive a verified consumer request to delete personal data must delete the data. Such service providers and contractors must also take a further step and pass this request down the supply chain to their own service providers, contractors, and/or third parties.
-
Retention of Personal data: The new measure would limit the ability to retain personal information for businesses as “necessary and proportionate” to achieve the purposes of collection or processing, or for other disclosed purposes compatible with the context of collection.
The Bottom Line: If this measure is passed, employers should prepare in advance to implement necessary policies and procedures that comply with the CPRA. Measures will need to be taken to safeguard any personal data from the public, and notices should be prepared in advance to comply with the notice requirements set forth by the CPRA. Employers may also need to prepare a set of guidelines on how to address consumer/employee concerns under the CPRA and provide adequate training to employees handling CPRA matters.