The California Privacy Rights Act (CPRA) is a new comprehensive consumer privacy law. It was adopted via referendum by the state of California and aims to protect individuals' data privacy rights, including those of employees. The CPRA expands pre-existing consumer privacy legislation and outlines how businesses, including employers, must operate when it comes to collecting, storing, using, and sharing consumer data.
New state legislation, such as the California Privacy Rights Act, can often feel like a jumbled grab bag of rules and regulations. They can be difficult to read and even more difficult to understand, and that doesn't even consider trying to determine if and how they apply to your organization.
The danger of not knowing what's in new legislation and how it might affect your organization is that it exposes your organization to potential risks associated with non-compliance. In other words, without knowing the rules, you may end up breaking them by accident, and that could have serious consequences. To that end, we connected with Jason Albert, global chief privacy officer at ADP, Melissa Kelly, senior director of government relations at ADP, and Marcia Nelson, senior U.S. privacy counsel at ADP, who were the featured presenters on this webcast, available on demand: California and the New Rules for Employee Privacy: What HR Professionals Need to Know. Below are their insights and and answers about the CPRA and how it affects employers.
What is the California Privacy Rights Act (CPRA)?
The CPRA is a new consumer privacy law that protects individuals' data privacy rights. It was adopted via referendum by the state of California, which is a fancy way of saying, it was voted into effect by the residents of California after being added to the ballot by a citizen-initiated measure. It will go into effect on Jan 1, 2023. The CPRA builds on previous legislation, the California Consumer Privacy Act (CCPA), which was passed in 2018 and expands employers' obligations when it comes to collecting, storing, using and sharing personal data belonging to their employees. This new law defines different types of "personal information" and lays out the rights employees have when it comes to collection and use as well as correction and deletion of their data.
What's the difference between the California Consumer Privacy Act (CCPA) and the CPRA?
The difference between the CPRA and the CCPA is that the CPRA provides consumers with additional rights (e.g., the right to opt-out of cross contextual advertising) and applies to employment data. It also requires service providers to make contractual commitments on the protection and use of data as well as requires businesses to include details regarding the retention period — how long they will keep the data — for each category of personal data or explain how retention is determined in the consumer privacy notice.
In addition, the CPRA also expands the breach liability to include unauthorized access or disclosure of certain data elements (e.g., email address, passwords, or security questions). Basically, this means is that the CPRA has broadened what would be considered "breaking the rules" to include unauthorized access or disclosure of certain data elements.
Does the CPRA apply to me?
The CPRA applies to your organization if you have employees — or even one employee — in California and if your company made over $25 million in revenue globally in the previous calendar year. It's important to note that the CPRA does not apply to nonprofit organizations or government organizations.
Many HR experts are advising organizations to implement companywide privacy practices regardless of what state they reside in, as it's expected that other states will follow California's lead. In addition, this year, we saw the American Data Privacy and Protection Act (ADPPA) introduced by Congress. While it was not enacted, it may not be long before there is federal privacy legislation as well.
What rights do employees have under the CPRA?
What data is covered by the CPRA?
Data covered by the CPRA is any information that could be used to identify a person or linked to that person or their household. This information includes name, email address, Social Security Number (SSN), physical address and other pieces of personally identifiable information. Information that is publicly available from governmental records is not considered to be personal information. This means that any data specific to an individual employee and considered personal information is covered by the CPRA.
If an organization is attempting to collect this information from an employee, then the employee has rights under the law to receive notice of this collection and the use and sale or sharing of their information, as well as rights to delete, correct or opt out of sharing.
What is the CPRA effective date?
The CPRA takes effect on January 1, 2023. As mentioned above, this legislation is an extension of the CCPA, which is legislation from 2018 that focuses on protecting consumer data and personal information. It is important to note that there is a lookback period (starting January 1, 2022), of 12 months written into the CPRA. This means an employee can request information that had previously been collected within the last 12 months to be changed or deleted, and the organization would be required to honor this request.
What does the CPRA consider to be "sensitive" personal information?
The CPRA considers SSNs, driver's license numbers, state identification cards, passport numbers, account login information, financial account numbers and debit and credit card numbers to all be "sensitive personal information." In addition, geolocation, racial or ethnic origin, religious beliefs, genetic and biometric information are also considered sensitive personal information. This is not an exhaustive list.
The distinction of "sensitive personal information" from "personal information" is one of the extensions seen within the CPRA when compared with the CCPA. This is relevant because employees, in certain circumstances, can request to opt out of the sharing of sensitive personal information, which is a request that must be fulfilled by employers within 45 calendar days. And if additional time is needed to fulfill the request, another 45 days can be taken if the employee is notified (resulting in a total of 90 days).
What happens if I don't comply with the CPRA legislation?
If you do not comply with the CPRA, your organization could be subject to fines of $2,000 per violation, $2,500 for negligent violations and $7,500 for willful violations. It is important to note that the attorney general has already taken enforcement actions against organizations that did not comply with the CCPA. The regulators have demonstrated their readiness to take disciplinary action against organizations that do not comply with the CPRA's requirements to protect consumer data.
Will sharing employee information with benefits providers or stock option vendors violate the CPRA?
No, providing employee information to service providers will not violate the CPRA. This is because with a service provider there is a contract or agreement governing the use of the data and placing appropriate restrictions on the service provider to use it only in the context of providing those contracted services.
The wrap-up: Abiding by the CPRA
Abiding by CPRA legislation means understanding how the law will impact your employees' data and developing privacy practices that will help you meet the obligations under the law. Check with legal counsel if you are unsure of how the CPRA affects your organization.
Did you know?
ADP offers an on-demand webinar that covers the CPRA and how it affects organizations. Subject-matter experts broke down the complex language of the law and spelled out how these new rules affect employers. Launch it here, anytime: California and the New Rules for Employee Privacy: What HR Professionals Need to Know
Dive deeper: Read more on privacy legislation