California Privacy Rights Act

The California Privacy Rights Act (“CPRA”) went into effect on January 1, 2023. Enacted by Proposition 24, the CPRA expands and builds on the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA is California state law that established and protected privacy rights for Californian residents. While most of the CPRA is a restatement of the CCPA, there are some significant changes to whom these laws now apply as well as two new rights given to California residents. Most important for employers is the end of the business-to-business exception, which offered employers an exemption to the CCPA regarding employment related information.

As of January 1, 2023, the CPRA in its entirety applies to employer-employee relationships with a few exceptions.i This means that businesses must provide privacy notices in compliance with the CPRA regarding the collection and use of employment related information. The CPRA obligations extends to all workforce members, including employees, directors, officers, contractors, owners, as well as job applicants, who are residents of California. Enforcement of the CPRA begins on July 1, 2023.ii It would benefit any business to check with their legal department or outside counsel to ensure they are CPRA compliant.

Changes in Threshold Requirements

The CPRA has changed the threshold requirements for application to businesses. The CPRA applies to for-profit businesses that collect personal information from California residents and meet one of the following requirements:

  • The business had an annual gross revenue in excess of $25 million in the preceding calendar year (Prior requirement was an annual gross revenue over $25 million);
  • The business annually buys, sells, or shares the personal information of 100,000 or more Californian consumers or households (increased from 50,000 in the CCPA); or
  • The business derives 50% or more of its annual revenues from selling or sharing personal information (Prior to the CPRA, this threshold only included selling of personal information).iii

Further, any entity that controls or is controlled by a business that meets one of these requirements, shares common branding with the business, and with whom the business shares consumers’ personal information must comply with the CPRA.iii

This means that some businesses that did not previously have to comply with the CCPA now meet the new threshold, while others who were once bound by the CCPA might not meet the requirements for the CPRA. For example, a business with annual gross revenue of $15 million that annually buys the personal information of 70,000 California consumers and derives 20% of its annual revenues from the selling or sharing of information would have been subject to the regulations of the CCPA but would not under the CPRA.

Restated, if a business either (1) had an annual gross revenue over $25 million last year, (2) buys, sells, or shares the personal information of 100,000 or more Californian consumers or households, or (3) derives 50% or more of its annual revenues from selling or sharing personal information, it must comply with the CPRA and provide privacy notices to the Californian residents that it collects data on. This includes employees.

Notice Requirements Under the CPRA

Businesses that meet the threshold requirements of the CPRA must provide notice to California employees at or before the time of collection of personal information regarding the following:

  • The categories of personal information that are collected;
  • The purposes for which the categories of personal information are collected and used;
  • Whether the categories of personal information that are collected are sold or shared;
  • The categories of sensitive personal information that are collected;
  • The purposes for which the categories of sensitive personal information are collected and used;
  • Whether the categories of sensitive personal information that are collected are sold or shared; and
  • The length of time the business intends to retain each category of personal information, including sensitive personal information. If there is no exact length of time, then the business must provide the criteria used to determine the length of time.v

After notice is given, the business may not collect additional categories of personal information or use personal information collected for additional purposes without providing additional notice consistent with the requirements of the CPRA.

Importantly, a business’s collection, use, retention, and sharing of personal information must be reasonably necessary and proportionate for which the personal information is collected or processed. An employer that collects an employee’s personal information must implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the collected information.

Furthermore, in order to comply with the rights enumerated in the CPRA, businesses that fall under the statute are required to provide two or more methods for employees to submit requests for information regarding personal information being collected by the business, requests for deletion, or requests for the correction of personal information.

Rights Under the CPRA

Californian employees enjoy the rights regarding their personal information, including the right to access,vi the right to know what information is being sold or shared and to whom,vii the right to delete,viii the right to opt out,ix and the right of no retaliation.x However, until January 1, 2023, these rights were exempted under the CCPA’s business-to-business exception. Since that exemption no longer applies, employers must make sure that their California employees are able to exercise all these rights. In addition to the rights originating from the CCPA, the CPRA grants two additional rights for: the right to correct inaccurate personal informationx and the right to limit the use and disclosure of sensitive personal information.xii

The right to access and the right to know what information is being sold or shared gives an employee the right to request the employer disclose the categories and specific pieces of personal information the employer has collected as well as what information the employer has sold or shared and to whom.

The right to delete gives an employee the right to request an employer delete any personal information that the employer has collected from the employee. This right does not extend to information that is otherwise publicly available. When an employee exercises this right, the employer must also direct any applicable third parties to delete the information as well. There are exceptions to this right to deletion, including when the information is required for performing a contract between the employee and employer and if the information is needed to comply with legal obligations.

The right to opt-out gives an employee the right to opt-out of the employer selling or sharing the employee’s personal information.

An employee has the right to request the employer correct any inaccurate personal information maintained about the employee. The business must use reasonable efforts to correct the inaccurate personal information considering the nature and purpose for collecting that personal information.

The right to limit the use and disclosure of sensitive personal information gives employees the right, at any time, to direct a business that collects sensitive personal information about the employee to limit its use of the employee’s sensitive personal information to that use which is necessary based on the relationship between the employee and the business. The business must then follow the limited use and disclosure request unless the resident thereafter grants consent.

Lastly, the right of no retaliation is an express statement in the CPRA and provides that employers may not retaliate against an employee for exercising any of their rights under the CPRA.

For additional guidance and assistance, please reach out to the attorneys at Palmer Kazanjian Wohl Hodson LLP.

i See Cal. Civ. Code, § 1798.145 (referencing exceptions to employer obligations under the CPRA).

ii Cal. Civ. Code, § 1798.185(d).

iii Cal. Civ. Code, § 1798.140.

iv Cal. Civ. Code, § 1798.140.

v Cal. Civ. Code, § 1798.130.

vi Cal. Civ. Code, § 1798.110.

vii Cal. Civ. Code, § 1798.115.

viii Cal. Civ. Code, §1798.105.

ix Cal. Civ. Code, § 1798.120.

x Cal. Civ. Code, § 1798.125.

xi Cal. Civ. Code, § 1798.106.

xii Cal. Civ. Code, § 1798.121.