Everything You Need to Know About the California Privacy Rights Act

Detail of California map

The California Privacy Rights Act (CPRA) is a new comprehensive consumer privacy law. It was adopted via referendum by the state of California and aims to protect individuals' data privacy rights, including those of employees. The CPRA expands pre-existing consumer privacy legislation and outlines how businesses, including employers, must operate when it comes to collecting, storing, using, and sharing consumer data.

New state legislation, such as the California Privacy Rights Act, can often feel like a jumbled grab bag of rules and regulations. They can be difficult to read and even more difficult to understand, and that doesn't even consider trying to determine if and how they apply to your organization.

The danger of not knowing what's in new legislation and how it might affect your organization is that it exposes your organization to potential risks associated with non-compliance. In other words, without knowing the rules, you may end up breaking them by accident, and that could have serious consequences. To that end, we connected with Jason Albert, global chief privacy officer at ADP, Melissa Kelly, senior director of government relations at ADP, and Marcia Nelson, senior U.S. privacy counsel at ADP, who were the featured presenters on this webcast, available on demand: California and the New Rules for Employee Privacy: What HR Professionals Need to Know. Below are their insights and and answers about the CPRA and how it affects employers.

What is the California Privacy Rights Act (CPRA)?

The CPRA is a new consumer privacy law that protects individuals' data privacy rights. It was adopted via referendum by the state of California, which is a fancy way of saying, it was voted into effect by the residents of California after being added to the ballot by a citizen-initiated measure. It will go into effect on Jan 1, 2023. The CPRA builds on previous legislation, the California Consumer Privacy Act (CCPA), which was passed in 2018 and expands employers' obligations when it comes to collecting, storing, using and sharing personal data belonging to their employees. This new law defines different types of "personal information" and lays out the rights employees have when it comes to collection and use as well as correction and deletion of their data.

What's the difference between the California Consumer Privacy Act (CCPA) and the CPRA?

The difference between the CPRA and the CCPA is that the CPRA provides consumers with additional rights (e.g., the right to opt-out of cross contextual advertising) and applies to employment data. It also requires service providers to make contractual commitments on the protection and use of data as well as requires businesses to include details regarding the retention period — how long they will keep the data — for each category of personal data or explain how retention is determined in the consumer privacy notice.

In addition, the CPRA also expands the breach liability to include unauthorized access or disclosure of certain data elements (e.g., email address, passwords, or security questions). Basically, this means is that the CPRA has broadened what would be considered "breaking the rules" to include unauthorized access or disclosure of certain data elements.

Does the CPRA apply to me?

The CPRA applies to your organization if you have employees — or even one employee — in California and if your company made over $25 million in revenue globally in the previous calendar year. It's important to note that the CPRA does not apply to nonprofit organizations or government organizations.

If your organization is not in California, but you have one or more employees working remotely in California, the law would only apply to those employees. In other words, it would not apply to the employees within your organization who do not work in California. However, it may be wise to consider implementing a privacy policy that complies with the CPRA for all employees within your organization since other states may follow California's lead and pass employee data privacy legislation of their own. In other words, employers should be prepared for legislation like the CPRA to affect more than just California employees in the future.

"We should absolutely expect to see a flurry of states consider comprehensive consumer privacy bills 2023 ... It will be very interesting to see how the sunset of the employee data exemption in California impacts that aspect of related state legislative debates next year," says Melissa Kelly. "The bottom line is, there is no shortage of regulatory and legislative activity at either the state or the federal level surrounding privacy policy."

Conversely, if you have employees that do work in the state of California, but you did not make over $25 million in revenue in the previous calendar year, then the legislation would not apply to your organization. However, if you are approaching the revenue threshold and you do have employees in the state of California, it would be wise to implement a privacy policy since the legislation affords a 12-month lookback period for employee requests.

Many HR experts are advising organizations to implement companywide privacy practices regardless of what state they reside in, as it's expected that other states will follow California's lead. In addition, this year, we saw the American Data Privacy and Protection Act (ADPPA) introduced by Congress. While it was not enacted, it may not be long before there is federal privacy legislation as well.

What rights do employees have under the CPRA?

Employees have the right to be notified about when and why their data is being collected, as well as having access to an employee privacy policy. In addition, the employee privacy policy regarding personal data collection should be posted and easily accessible to employees.

"In addition to the "at time of collection" privacy notice, there is a now a requirement for an employee privacy policy," says Jason Albert. "Employers will be required to post an employee privacy statement and disclose to employees in California the category of personal information collected in the last 12 months, among other information."

The employee privacy policy should outline what the data will be used for and whether it will be sold or shared at any point. Employees also have the right to correct or delete personal information held by employers, opt out of the sale or sharing of their personal information, restrict the sharing of their sensitive personal information and to not be retaliated against by employers for making such a request. Employers have 45 days to honor employee requests of this nature.

What data is covered by the CPRA?

Data covered by the CPRA is any information that could be used to identify a person or linked to that person or their household. This information includes name, email address, Social Security Number (SSN), physical address and other pieces of personally identifiable information. Information that is publicly available from governmental records is not considered to be personal information. This means that any data specific to an individual employee and considered personal information is covered by the CPRA.

If an organization is attempting to collect this information from an employee, then the employee has rights under the law to receive notice of this collection and the use and sale or sharing of their information, as well as rights to delete, correct or opt out of sharing.

What is the CPRA effective date?

The CPRA takes effect on January 1, 2023. As mentioned above, this legislation is an extension of the CCPA, which is legislation from 2018 that focuses on protecting consumer data and personal information. It is important to note that there is a lookback period (starting January 1, 2022), of 12 months written into the CPRA. This means an employee can request information that had previously been collected within the last 12 months to be changed or deleted, and the organization would be required to honor this request.

What does the CPRA consider to be "sensitive" personal information?

The CPRA considers SSNs, driver's license numbers, state identification cards, passport numbers, account login information, financial account numbers and debit and credit card numbers to all be "sensitive personal information." In addition, geolocation, racial or ethnic origin, religious beliefs, genetic and biometric information are also considered sensitive personal information. This is not an exhaustive list.

The distinction of "sensitive personal information" from "personal information" is one of the extensions seen within the CPRA when compared with the CCPA. This is relevant because employees, in certain circumstances, can request to opt out of the sharing of sensitive personal information, which is a request that must be fulfilled by employers within 45 calendar days. And if additional time is needed to fulfill the request, another 45 days can be taken if the employee is notified (resulting in a total of 90 days).

What happens if I don't comply with the CPRA legislation?

If you do not comply with the CPRA, your organization could be subject to fines of $2,000 per violation, $2,500 for negligent violations and $7,500 for willful violations. It is important to note that the attorney general has already taken enforcement actions against organizations that did not comply with the CCPA. The regulators have demonstrated their readiness to take disciplinary action against organizations that do not comply with the CPRA's requirements to protect consumer data.

Will sharing employee information with benefits providers or stock option vendors violate the CPRA?

No, providing employee information to service providers will not violate the CPRA. This is because with a service provider there is a contract or agreement governing the use of the data and placing appropriate restrictions on the service provider to use it only in the context of providing those contracted services.

"As long as a provider is providing you services under a written agreement, and you have disclosed the collection and purpose of use in your employee privacy notice and privacy policy, you would not need to get additional consent from the employee," says Marcia Nelson.

The wrap-up: Abiding by the CPRA

Abiding by CPRA legislation means understanding how the law will impact your employees' data and developing privacy practices that will help you meet the obligations under the law. Check with legal counsel if you are unsure of how the CPRA affects your organization.

Did you know?

ADP offers an on-demand webinar that covers the CPRA and how it affects organizations. Subject-matter experts broke down the complex language of the law and spelled out how these new rules affect employers. Launch it here, anytime: California and the New Rules for Employee Privacy: What HR Professionals Need to Know

Dive deeper: Read more on privacy legislation