More privacy news from the Golden State.  On November 3, 2020, California voters passed a ballot measure that will expand the California Consumer Privacy Act (CCPA).  This amendment, also known as the California Privacy Rights Act of 2020 (CPRA), will substantially expand the current privacy obligations the CCPA imposes on employers and businesses that collect Californians' personal information.   

What did the CPRA Change?  Currently, the CCPA requires covered employers to distribute a Notice at Collection regarding personal data obtained about applicants, employees, and independent contractors.  Under the CPRA, however, covered employers must also comply with privacy policy requirements, individual rights obligations for consumers, and vendor management requirements. 

The CPRA also changes the definition of covered employers and businesses, data retention procedures, requirements for CPRA-compliant contracts with vendors, and expands data breach liability and data rights granted to California residents, including a consumer's right to request covered employers and businesses to correct inaccurate personal information.

What should covered employers and businesses do now?   First, make sure you're in full compliance with the current CCPA Notice requirements, which are already in effect. Next, covered employers and businesses needs to start preparing for the increased future CPRA requirements, which take effect in January 2023. The CPRA contains a 12-month lookback period for California residents' requests to exercise their new rights, and CCPA penalties are steep (up to $750 per violation).  We expect these increased future requirements to be burdensome and want to ensure as much lead time as possible so that employers are not caught in a "catch up" mode when penalties for non-compliance are in effect.

This means employers should begin updating notifications, creating privacy policies, and organizing human resources data in a manner that will allow you to respond to consumers' and employees' requests to correct, delete, and obtain details on the handling of, their personal information once the CPRA goes into effect. 

Have questions about your data privacy notices and other current and future requirements in California?  Don't worry-we are here to help!

Back to News & Resources