It’s almost fall! As everything is rapidly becoming pumpkin-flavored, it’s time to face the music: the California Privacy Rights Act (“CPRA”) is coming for employers sooner than later.
In case you’ve been in denial, the Legislature enacted the California Consumer Privacy Act (“CCPA”) in 2019. The Act’s basic purpose is to give consumers control over how businesses use their personal information. Voters then passed the CPRA in a ballot measure in late 2020, expanding the CCPA even further. The CPRA goes into effect on January 1, 2023.
If you’re a covered employer, you probably already are aware of basic requirements under the CCPA, including: (1) providing employees and applicants a notice of the categories of personal information you collect (and for what purpose); and (2) implementing security measures to protect such personal information.
But, starting in 2023, your obligations get a whole lot messier. In a nutshell, the CPRA also gives applicants and employees (current and former) the right to:
- Know what personal information you have collected, sold, or shared;
- Seek deletion of personal information;
- Correct inaccurate personal information; and
- Restrict the use of their personal information.
The California Privacy Protection Agency still is developing its final CPRA regulations. Do not wait for the regulations to start preparing, though. We recommend you take the following steps now:
- Organize and map the flow and storage of HR data related to applicants and employees;
- Determine who will be responsible for managing and responding to requests;
- Develop internal procedures for responding to requests; and
- Provide training to any personnel responding to CPRA requests regarding consumers’ rights.
We’ll post some updates and tips here throughout the rest of 2022. Because the CPRA is too complicated to address in a blog post, we’ll be holding a more extensive training session in November. Stay tuned for the deets!