Following the failure of a measure that would have delayed effectiveness of the California Privacy Rights Act (CPRA), employers in California now must comply with the state’s privacy law beginning January 1, 2023.
In 2020, California voters approved Proposition 24, which created the CPRA and expanded the California Consumer Privacy Act (CCPA).
Employers had faced minimal requirements under the CCPA due to a partial exemption in the law for information collected in the context of employment. The CPRA ends that exemption.
While a bill was introduced in this year’s legislative session that would have delayed effectiveness of the CPRA for employers until 2026, it failed to pass, leaving employers facing a host of new requirements.
As of January 1, 2023, employment information will be treated as consumer information under the CPRA, so employees, applicants and contractors must receive notice at or before collection that discloses the categories of employment information being collected, the purposes for which it is used and information about the employer’s retention policies.
In addition to notice, employees gained other rights, such as the right to correct the personal information maintained by the employer, the right to request that the employer delete the personal information the employer has collected about them, the right to request that the employer provide them with or transmit to another entity a copy of their personal information, and the right to request that the employer limit the use and disclosure of “sensitive personal information.”
These rights aren’t unlimited. Employers have the latitude to deny a request to delete personal information that is required to carry out the employment relationship (to provide benefits or process payroll, for example) or, based on statutory requirements, to retain certain information (such as pay data disclosures).
The CPRA also protects employees from discrimination for exercising their rights under the statute.
To read the CPRA, click here.
Why it matters: To comply with the CPRA, employers must understand how they collect, use, retain and disclose the personal information of employees and applicants. In addition, they must develop policies, procedures and forms and train staff on how to process requests by employees to access, correct and/or delete personal information. Because contractors and third parties must also comply, employers should be prepared to update their agreements with service providers.