On February 9th, 2024, the California Court of Appeals rejected a lower court injunction of a new California privacy law. Previously, the California privacy law, known as the California Privacy Rights Act (CPRA), was enjoined by a Sacramento trial court. Originally scheduled to go into effect in early 2023, the trial court pushed the CPRA’s enactment to March 29th, 2024. Subsequently, the California Privacy Protection Agency (CPPA) appealed the decision, and the Court of Appeals rejected the lower court’s decision. Meanwhile, in a move that also affects California employers, in October 2023, Governor Gavin Newsom signed expanded California paid sick leave into law.
Overview of the California Privacy Law
Markedly, California voters passed the CPRA in November 2020, amending the California Consumer Privacy Act of 2018 (CCPA). Under its language, the CPRA provides additional privacy protections for individuals. Specifically, these protections apply to employees’ personal information, dependents who receive benefits, applicants, independent contractors, and board members. Additionally, the CPRA established the CPPA to implement and enforce the law.
Going beyond existing federal law that primarily protects data in employees’ personnel files and even bars employers from asking specific illegal interview questions, the CPRA provides more comprehensive data protection that allows individuals to opt out of, delete, or correct certain records. In this case, the CPRA closely mirrors data protection laws overseas, like the European Union’s General Data Protection Regulation (GDPR).
Previously, the CPRA was supposed to go into effect on January 1st, 2023 (later revised to July 1 of the same year). In light of the impending rule, according to Littler Mendelson P.C., the California Chamber of Commerce sued the Agency. The entity wanted an order requiring a one-year stay on enforcement from the date of the law’s adoption. As a result, the Sacramento court ordered the injunction until March 29th, 2024. Subsequently, the Agency filed a petition with the California Court of Appeals, which ended the injunction and instituted an immediate effective date.
Covered Employers and Rights Under the California Privacy Law
Whereas previous employer obligations under the CCPA only included providing notice of collection and reasonable safeguards outside of the employment setting, the CPRA expands those and other protections to employees. Therefore, covered employees now have more data privacy rights under the CPRA. Additionally, covered employers have more compliance obligations. In general, covered businesses include those that:
- do business in California,
- operate for profit,
- collect the personal information of California residents, and
- have a gross annual revenue exceeding $25 million in the preceding calendar year.
Simultaneously, employees who work for companies covered by the CPRA have the right to:
- receive notice about the type of information their employer collects, sells, shares, or otherwise discloses,
- correct any personal information the employer maintains,
- request the employer delete any personal information that they collected,
- receive or transmit to another entity a copy of their personal information, and
- request the employer limit the use or disclosure of sensitive information.
Employer Takeaways
In conclusion, the sudden effective date of the California privacy law (CPRA) means employers must hurry and become compliant. Specifically, employers should review the personal data they have on record and their current data collection processes. Ideally, this self-audit should proceed as soon as possible. Such an audit may take several months to review, while creating and implementing a new policy would also take additional time.
Nonetheless, employers should understand that they retain the right to deny certain requests in specific situations. For example, employers may reject requests for deletion if certain personal information is necessary to the employment relationship. Meanwhile, the CPRA limits the right to correct information to that which employers can verify. In the end, however, employers should be careful not to discriminate against employees who exercise their rights under the CPRA.