Less than a year after the California Consumer Privacy Act (CCPA) went into effect, California’s electorate approved a ballot measure that will substantially expand the privacy obligations the CCPA imposes on employers. On November 3, 2020, Proposition 24, known as the California Privacy Rights and Enforcement Act of 2020 (CPRA), received sufficient votes to become law, following certification of the election results by California’s Secretary of State.
Employers subject to the CPRA need not scramble to comply yet. The provisions of the CPRA relevant to businesses do not come into force until January 1, 2023. However, because employers have enjoyed a carve-out from most CCPA requirements, they are likely to need a significant portion of the two-year grace period to implement policies, procedures and other compliance measures to address the CPRA’s enhanced requirements. As described more fully below, the CCPA has only required employers to distribute a Notice at Collection. Under the CPRA, covered employers also must comply with privacy policy, individual rights, and vendor management requirements. In addition, the CPRA increases the risk of data breaches.
Extension of the Partial Exemption for Human Resources Data until 2023
The CCPA exempts the data of employees, applicants, independent contractors, and members of a covered business’ board of directors (HR Individuals) from most of its requirements until January 1, 2022. Under this exemption, only two of the CCPA’s provisions now apply to covered employers: (a) the requirement to provide a “Notice at Collection,” and (b) a California resident’s right to recover up to $750 in statutory damages for certain types of data breaches. Regarding the Notice at Collection, the CCPA requires employers to provide a notice at, or before, collecting personal information from HR Individuals describing (a) the categories of personal information the employer will collect, and (b) the purposes for which the employer will use that information.
The CPRA extends the sunset date for the CCPA’s exemption for HR Individuals until January 1, 2023, when the CPRA goes into effect. On that date, covered employers must comply with the full CPRA. In short, the CPRA will not contain a carve-out for the data of HR Individuals.
Key Requirements of the CPRA
The CPRA creates a comprehensive data protection regime similar to data protection laws in many other countries, such as the European Union’s General Data Protection Regulation. In essence, the CPRA contains four classes of requirements:
- Notice;
- Data rights;
- Vendor management; and
- Data security.
The CPRA requires two types of notice. The first is the Notice at Collection described above, but is expanded to also require disclosure of how the employer shares personal information, handles sensitive personal information, and retains personal information. The second is the privacy policy that the covered business must post on its website. The privacy policy must cover additional information about how the business handles personal information, as well as describe California residents’ rights under the CPRA. While most businesses already have a publicly posted privacy policy describing their handling of consumer data, even employers that have voluntarily chosen to create a privacy policy addressing their handling of HR data rarely post that policy on their external website.
The CPRA also expands the data rights granted to California residents. Under the CCPA, California residents have the right to know how a covered business handles their personal information, the right to request that the business delete their personal information, and the right to opt out of sales of their personal information. The CPRA adds the rights to correct personal information, to limit the use and disclosure of sensitive personal information, and to opt out of the sharing of personal information for certain types of behavioral advertising.
Notably, the CPRA contains a 12-month lookback period for California residents’ requests to exercise their new rights. This means that, commencing on January 1, 2022, employers should tag and arrange their human resources data so that they can respond to employees’ requests to correct, delete, and obtain details on the handling of, their personal information once the CPRA goes into effect on January 1, 2023.
While the CCPA only provides incentives to businesses to include CCPA provisions in vendor contracts, the CPRA requires covered business to sign CPRA-compliant contracts with vendors that handle the business’s personal information. Therefore, for most covered employers, compliance will require a campaign to amend contracts with HR vendors. Here again, covered employers should take steps to comply well in advance of the January 1, 2023, compliance deadline.
Finally, the CPRA expands the types of data breaches for which a California resident can recover statutory damages to include breaches of online login credentials. The existing right to recover statutory damages, particularly when coupled with this expansion, provides covered employers a strong incentive to enhance their security measures.
Amendments, Regulations, and Enforcement
Unlike the CCPA, which California legislators amended twice to reduce burdens on employers, the CPRA likely will not be amended to create an exemption for the data of HR Individuals. California legislators can amend the CPRA through the regular legislative process. The CPRA stipulates, however, that it may be amended only to the extent that such amendment is “consistent with and [will] further the purpose and intent of the [Act].” The CPRA’s purpose and intent is to “further protect consumers’ [privacy] rights.” Therefore, any amendment that seeks a carve-out for HR Individuals’ data likely would be challenged as an impermissible limitation on privacy rights.
Employers should take note that the risk of enforcement under the CPRA likely will be materially higher under the CPRA. The new law creates the first-ever state agency, called the California Protection Agency, focused on enforcing privacy protections. The agency is also authorized to issue regulations explicating how the CPRA will apply to a long list of issues. Final regulations must be adopted by July 1, 2022.
With the exception of the private right of action for data breaches, only the California Protection Agency can enforce the CPRA. Enforcement may commence on July 1, 2023 and will apply only to violations occurring on or after that date.
Next Steps for Employers
Employers with HR Individuals in California should consider taking the following steps now:
- Determine whether they are businesses subject to the CPRA; and
- If subject to the CPRA:
- Identify the teams that will lead their CPRA compliance efforts;
- Commence a data-mapping exercise to identify all of their repositories of HR Individuals’ personal information and the flow of that personal information into, and out of, the company; and
- Based on the results of the data mapping, develop a plan to achieve compliance with the CPRA by January 1, 2023.