The California Privacy Rights Act (“CPRA”) took effect in December 2020, but the major provisions will formally take effect on January 1, 2023. The CPRA may be confused with the CCPA, the California Consumer Privacy Act, because both acts create consumer privacy rights regarding the collection and sale of personal information. While the two acts serve a similar purpose, the CPRA significantly amends and expands the CCPA.
When the CPRA was enacted in December 2020, it included exemptions for human resources information and business to business (“B2B”) contact information. B2B information includes things such as the telephone number or address of another business. The major provisions of the CPRA which take effect in January end these two exemptions. When the CPRA takes further effect in January, it will include a 12-month lookback period. As a result, on January 1, businesses must declare in their privacy policies whether they have been selling or sharing employee information or B2B information. If a business has been selling or sharing such information, it must offer the ability to employees and businesses to opt out of the sharing of their information.
Beginning in January, businesses must update service provider agreements to include such privacy information as required by the CPRA and offer broad access to both employees and B2B contacts. Businesses must also employ the ability to delete private information which is protected by the CPRA and the CCPA. The right to have personal information deleted is not absolute under the CPRA, as it allows employers to retain information which is reasonably necessary to maintain and manage current and past employee relationships. Further, the CPRA states that a business shall not retain a consumer’s personal information for longer than it is reasonably necessary to do so.
The CPRA also provides two new “right to know” rights to employees. Currently, the “right to know” applies to consumers. First, employees have the right to a disclosure which explains how employers collect and handle employee information. Second, employees have the right to copies of specific pieces of personal information.
All businesses and employers in California should be aware of the CPRA and what changes it will entail before the new provisions go into effect. This is especially true due to the 12-month lookback period. Businesses and employers should be prepared to update or enact privacy policies and compliance programs before the new provisions of the CPRA take effect so that they are not overwhelmed come January 1. In addition, businesses and employers should keep accurate records of how they use consumer, employee, and B2B information so that they are able to respond to inquiries regarding the use of such information.