As of May 2024, the California State Assembly's previous failure to pass two amendments in November intended to extend the grace period under the CPRA remains a significant event.
Since the CPRA came into effect in January 2023, there have been numerous high-profile discussions concerning California's employee privacy rights.
Despite the initial challenges faced by privacy advocates who found the legislative developments both surprising and disappointing, California employees have been actively utilizing various measures to safeguard their personal data under the current CPRA regulations.
Highlights
- New Rights for Employees: The CPRA extends rights to employees, such as the rights to know, access, correct, and delete their personal information, the right to opt-out of sale/sharing, the right to limit use of sensitive information, and protection against retaliation. Employers now have stricter obligations regarding data minimization, purpose limitation, and data security.
- Eligibility Criteria: The CPRA applies to for-profit organizations in California that share the personal information of at least 100,000 consumers, earn $25 million in gross revenue, or derive 50% or more of their gross revenue from selling or sharing consumer information.
Everything You Need to Know About the Current Privacy Legislation
The California Privacy Rights Act (CPRA) is a piece of legislation that was approved by California voters in November 2020 as a ballot initiative, known as Proposition 24. It builds upon and significantly amends the California Consumer Privacy Act (CCPA), which was the original landmark privacy law in the state.
The CPRA made a number of changes to the CCPA, providing more robust privacy protections and granting California residents additional rights regarding their personal information.
Under the CCPA, employees were exempted from consumer rights and only had the right to know and right to take private action in the event of a data breach. With the failure of AB 2871 and AB 2891, CPRA’s implementation dealt away with this exemption.
Similar to data protection laws such as the EU's General Data Protection Regulation (GDPR), the CPRA aims to ensure that personal information collected by any business entity on California residents, inclusive of employees, remains strictly protected.
What Are the Key Aspects of the CPRA?
The California Privacy Rights Act (CPRA) builds upon and amends the California Consumer Privacy Act (CCPA), enhancing privacy rights and protections for California residents. Here are some of the key aspects of the CPRA:
- Expanded Consumer Rights: The CPRA expands on the rights provided by the CCPA, including the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information collected from them, and the right to opt-out of automated decision-making technology.
- Sensitive Personal Information: The CPRA introduces a new category of "sensitive personal information," which includes data such as social security numbers, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. Consumers have the right to limit the use of this information.
- Data Minimization and Retention: Under the CPRA, businesses are not allowed to collect more personal information than necessary and are required to disclose the length of time they intend to retain each category of personal information, not keeping it longer than necessary for the purpose for which it was collected.
- Risk Assessments and Cybersecurity Audits: The CPRA mandates that businesses conduct regular risk assessments and cybersecurity audits for their data processing activities, especially for processing that presents a significant risk to consumers' privacy.
- California Privacy Protection Agency (CPPA): The act establishes the CPPA, a new enforcement agency dedicated to implementing and enforcing the CPRA, taking over from the California Attorney General's office.
- Expanded Scope: The CPRA broadens the scope of businesses that fall under the law, including criteria based on the volume of consumer data processed, revenue from consumers' personal information, and businesses that derive a majority of their annual revenue from sharing consumers' personal information.
- Enhanced Protections for Minors: The CPRA increases fines for violations involving the personal information of minors under the age of 16 and requires businesses to obtain opt-in consent before selling or sharing the minor's personal data.
- Right to Opt-Out of Sale and Sharing: Consumers are given the right to opt out not only of the sale of their personal information but also of the sharing of their data for cross-context behavioral advertising.
- Contractual Requirements for Third Parties, Service Providers, and Contractors: The CPRA requires stringent contract terms with third parties, service providers, or contractors that are provided personal information, ensuring they adhere to the same level of privacy protection as the business itself.
- Enforcement and Penalties: The CPRA includes provisions for enforcement and increases penalties for infractions, especially those involving children's information.
- No More 30-Day Cure Period: Unlike the CCPA, the CPRA removes the 30-day grace period for businesses to address violations before enforcement action is taken.
The CPRA notably establishes new frameworks for handling personal information, aiming to give California residents more control over their data while imposing stricter obligations on businesses to protect that data. It's been a significant step in the evolution of privacy law in the United States and has influenced the development of similar privacy laws in other states.
What Are the New Employee Rights Under the CPRA?
The CPRA's aim is to expand and redefine the CCPA to strengthen the existing privacy rights for California consumers with new rights that include:
- Right to Know: Employees have the right to know what personal information is being collected about them and the purposes for which it is used.
- Right to Access: Employees can request access to the specific pieces of personal information that their employer has collected about them.
- Right to Correct: If an employee discovers that the personal information held by their employer is inaccurate, they have the right to request a correction.
- Right to Delete: Employees may request the deletion of their personal information under certain conditions, although employers may be able to deny these requests based on specific exceptions related to the employment relationship.
- Right to Opt-Out of Sale/Sharing: While the CCPA granted consumers the right to opt out of the sale of their personal information, the CPRA extends this right to include the sharing of personal information for purposes of cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: Employees have the right to limit the use of their sensitive non-employment-related personal information.
- Protection Against Retaliation: Employers are prohibited from retaliating against an employee for exercising their CPRA rights.
- Data Minimization and Purpose Limitation: Employers have to adhere to principles of data minimization and purpose limitation, collecting only the personal information that is necessary for the purposes for which it is collected.
- Data Security: Employers have an obligation under the CPRA to implement reasonable security measures to protect employee personal information.
Employers need to be aware of these CPRA amendments and start taking steps toward compliance to avoid fines due to any violations. These new rights present challenges for most organizations as they now have to restructure how and where they store employee data.
CPRA provisions also extend to job applicants, independent contractors, and all other California residents whose personal information might be collected by a company.
Understand Where Your Business Stands on Complying With CPRA
The CPRA applies to any 'for profit' organizations dealing with the personal information of residents that meet one of these three criteria:
- Organizations that share the personal information of at least 100,000 consumers. The CCPA's threshold is 50,000 consumers, and this upgrade eases the pressure on small and medium-scale enterprises.
- Organizations making $25 million in gross revenue
- Organizations that make 50% or more of their gross revenue from sharing or selling personal information collected on consumers.
Things Organizations Should Do Now to Avoid Problems Down the Road
Your organization needs to understand the type of data that fits an employee's rights request, know the data's classification, and especially where it's stored. The first step is to implement effective centralized and automated processes to manage employee rights requests and verify the requester's identity.
Data storage and access automation will streamline the data search process, reducing backlog when dealing with a high influx of requests. Finally, after finding the personal information, a redaction of proprietary or other individuals' private information is needed to help fulfill the request. Automated redaction solutions will save you money and time and ease the whole process.
iDox.ai is your number-one solution for AI-powered data discovery and document redaction needs. Our iDox.ai Discovery tool displays efficiency in discovering sensitive data such as personal identifiable information(PII) when searching through a stockpile of data storage.
On the other hand, iDox.ai Document Redaction will help redact PII with speed and ease. Request a demo or contact us today for a free trial.