California residents have voted to expand the California Consumer Privacy Act of 2018 with the California Privacy Rights Act of 2020
The law, effective January 1, 2023, expands existing privacy rights and establishes the California Privacy Protection Agency (CPPA) to enforce the CCPA and CPRA beyond the state’s Attorney General’s Office
The law will also remove the ability of businesses to fix certain violations before being penalized for those violations
On November 3, 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). Proposition 24 expands on the existing California Consumer Privacy Act of 2018 (CCPA) in several ways that affect employers doing business in California, who may now be required to be in compliance with the CPRA, or what some are calling “CCPA 2.0.”
Prior to the passage of Proposition 24, the original CCPA enacted in 2018 afforded California consumers and employees rights over how and whether the personal data they provide to businesses is collected, retained, and sold. Because the CCPA’s definitions are broad, employee data that employers collect for employment purposes was included. Generally speaking, the CCPA applied to either (1) for-profit businesses with over $25 million in gross revenues that conduct business in California and collect personal information of California residents; (2) businesses that give, receive, sell, or share personal information of 50,000 or more California residents for commercial purposes; or (3) businesses that derive 50 percent or more of their annual revenue from selling California residents’ personal information. The businesses do not require a physical presence in California.
In 2019, the California legislature passed Assembly Bill 25 (AB 25), which largely exempted employers from the requirements to protect employee information under the CCPA for one year through January 1, 2021. In 2020, the state assembly passed AB 1281, replacing AB 25, extending the exemption for employee personal information from most requirements of the CCPA to January 1, 2022.
Exemptions and Expansions: CPRA
On the heels of passing AB 1281, California voters approved Proposition 24, which extended the exemption for employers to January 1, 2023. The CPRA also expanded existing privacy rights under the CCPA. Effective January 1, 2023, businesses are responsible for taking additional steps to protect private information, including, without limitation:
- Ceasing to share information upon the consumer’s request
- Providing an opt-out option for sensitive personal information
- Obtaining permission to collect information from those younger than 16 years old and obtaining permission from a legal guardian for those under 13 years old
- Correcting any inaccurate personal information upon a consumer’s request
- Taking reasonable security measures to protect personal information
Additionally, CPRA establishes the California Privacy Protection Agency (CPPA) to enforce the CCPA and CPRA beyond the state’s Attorney General’s Office. This is particularly pertinent for businesses, as the law also removes the ability of businesses to fix certain violations before being penalized for those violations.
That said, Proposition 24 will not be the “last word” on California consumer privacy rights. The California Attorney General’s Office and the CPPA must promulgate proposed final CPRA regulations no later than July 1, 2022.
While covered California employers subject to the CCPA and CPRA may rest easier knowing that they are exempt from compliance of these privacy laws until January 1, 2023, they should continue to monitor developments on the CPRA to determine if they need to make any changes to the storage and maintenance of personal information or to their privacy policies and practices in general. Goldberg Segalla’s Employment and Labor and Cybersecurity and Data Privacy practices are ready to help employers determine whether they need to be compliant with this emerging area of privacy and employment law.