The California Privacy Rights Act, which passed in 2020, will go into effect at the beginning of 2023 and will give employers additional compliance obligations in the workplace. The comprehensive data protection and privacy law protects employees and applicants of covered employers within California. Covered employers will need to reassess how they handle employee data and implement new or updated privacy policies in the workplace when the law goes into effect. In another recent California legislative move, Governor Gavin Newsom signed into law Assembly Bill 257, providing more empowerment to fast food workers.
Overview of the California Privacy Rights Act
The California Privacy Rights Act (CPRA), passed in November 2020, amends the existing California Consumer Privacy Act of 2018 (CCPA). The CPRA provides additional privacy protections for individuals. Specifically, these protections will apply to the personal information of employees, employees’ dependents who receive benefits, applicants, independent contractors, and board members. Additionally, the CPRA establishes the California Privacy Protection Agency (CPPA), which will implement and enforce the law.
Going beyond existing federal law that primarily protects data in employees’ personnel files and even bars employers from asking specific illegal interview questions, the CPRA provides more comprehensive data protection that allows individuals to opt-out of, delete, or correct certain records. In this way, the CPRA closely mirrors data protection laws overseas, like the European Union’s General Data Protection Regulation (GDPR). The California Privacy Rights Act goes into effect on January 1st, 2023.
Covered Employers and Rights Under the California Privacy Rights Act
Whereas previous employer obligations under the CCPA only included providing notice of collection and reasonable safeguards outside of the employment setting, the CPRA will now expand those and other protections to employees. Covered employees will now have more data privacy rights under the CPRA. Subsequently, covered employers will have more compliance obligations. Firstly, covered businesses will include those that:
- do business in California,
- operate for profit,
- collect the personal information of California residents, and
- have a gross annual revenue exceeding $25 million in the preceding calendar year.
In detail, employees covered under the CPRA will have the right to:
- receive notice about the type of information the employer collects, sells, shares, or otherwise discloses,
- correct any personal information the employer maintains,
- request the employer delete any personal information that they collected,
- receive or transmit to another entity a copy of their personal information,
- request the employer limit the use or disclosure of sensitive information.
In conclusion, employers should review what personal data they currently have on employees and their current data collection processes in preparation for the law going into effect. Ideally, this self-audit should proceed as soon as possible, as it may take several months to review the current data inventory and collection procedures and design and implement a new policy, if needed.
Nonetheless, employers should understand that they retain the right to deny certain requests in specific situations. Briefly, employers may deny requests for deletion if certain personal information is necessary to the employment relationship. Meanwhile, the CPRA limits the right to correct information to that which can be verified. In the end, however, employers should be careful not to discriminate against employees who exercise their rights under the CPRA.
Similar State Legislation to the California Privacy Rights Act
Meanwhile, other states like Michigan, Ohio, and Pennsylvania are considering privacy legislation that closely mirrors the protections afforded to individuals under the California Privacy Rights Act. Colorado, Connecticut, Utah, and Virginia, likewise, have already passed significant privacy legislation also going into effect in 2023. Employers need to pay close attention to similar legislation in their own states as the push for more comprehensive data privacy law gains momentum nationwide.