As previously reported, the California Privacy Rights Act (CPRA), amending the California Consumer Privacy Act (CCPA), went into effect at the beginning of this year. Among other things, the law brought previously exempted employment-related information within the scope of the privacy law, creating new obligations and compliance challenges for California businesses.
Enforcement of CPRA regulations was set to begin on July 1, 2023, but in a last-minute ruling, the Sacramento Superior Court held that the California Privacy Protection Agency (CPPA) must delay enforcement until March 29, 2024, giving businesses more time to comply with the new regulations.
The court’s ruling doesn’t change the fact that the exemption for employment-related information expired on January 1, 2023. Additionally, the CPPA can still enforce the CPRA provisions that are in effect — it just can’t enforce the most recent regulations that took effect March 29, 2023. As previously reported, the CPPA was to have published complete and final regulations by July 1, 2022, with an enforcement date of July 1, 2023 — but the agency had finalized only its first set of rules on March 29, 2023.
In other words, just because the court pushed back the CPPA’s enforcement deadline doesn’t mean employers should relax their efforts to comply with the law.
As a reminder, with respect to employment-related information, employers must:
- Provide a “notice at collection” to employees and applicants, at or before the time of collection, describing the categories of personal information to be collected and the purposes for which the information will be used.
- Provide a privacy policy describing the employer’s personal information practices and disclosing information about employee and job applicant rights under the CPRA and the procedures for exercising those rights.
- Train the relevant personnel on employees’ and job applicant’s rights under the CPRA and how to receive and process CPRA requests.
- Implement reasonable security measures with respect to personal information collected.
Even with the CPPA’s regulatory enforcement delay, employers should continue to fine tune their compliance efforts with respect to the above requirements and consider the following as they do so:
- Periodically audit employment-related information practices to ensure all personal information covered by the law is accounted for in your CPRA notices, disclosures and responses to CPRA requests. Keep in mind that “collecting” and “personal information” are defined by the law very broadly. As part of this audit, employers may also want to identify ways to streamline and/or minimize data collection.
- Identify service providers and contractors with whom employers may disclose employees’ personal information and work with legal counsel to ensure that contracts with those parties are compliant with the CPRA.
- Review the rights employees have under the CPRA, including any exceptions, and work with legal counsel to establish procedures and tools for receiving, processing and responding to CPRA requests from their personnel.
- Train the relevant personnel on employees’ and job applicants’ rights under the law and how to receive and process requests.
- Ensure that you have compliant notice and disclosure policies in place and that those notices and disclosures are kept up to date as data policies and practices change over time.
Lastly, employers should review the March 29, 2023, regulations and work with their legal counsel to determine how they may affect their current practices and whether any changes should be made ahead of the new enforcement deadline next year.
James W. Ward, Employment Law Subject Matter Expert/Legal Writer and Editor
Employers can read more about the CPRA in CalChamber’s free California Privacy Rights Act: What Employers Need to Know white paper (CalChamber members can read here). Employers can also review CPRA regulatory developments on the CPPA’s website.
Not a member? Learn how to power your business with a CalChamber membership.