Employers – and their vendors – need to be aware of the significant changes that are now in effect as the California Privacy Rights Act (CPRA) became operative on January 1, 2023.
The implementation of privacy rights in California began In 1972, when California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people.
Since California voters approved the constitutional right of privacy, the California Legislature has adopted specific mechanisms to safeguard Californians’ privacy, including the Online Privacy Protection Act, the Privacy Rights for California Minors in the Digital World Act, and Shine the Light, but consumers had no right to learn what personal information a business had collected about them and how they used it or to direct businesses not to sell the consumer’s personal information.
San Francisco real estate developer Alastair Mactaggart began advocating for consumer privacy a few years ago, after a Google engineer he met at a dinner party told him Americans would be shocked by how much the company knows about us. Mactaggart successfully pushed the Legislature to pass a landmark data privacy law in 2018, the California Consumer Privacy Act of 2018 (CCPA). into law.
The CCPA gave California consumers the right to learn what information a business has collected about them, to delete their personal information, to stop businesses from selling their personal information, including using it to target them with ads that follow them as they browse the internet from one website to another, and to hold businesses accountable if they do not take reasonable steps to safeguard their personal information.
Mactaggart soon discovered that this law passed by the California legislature needed some changes, so he drove the effort to put Prop. 24 on the 2020 ballot. And voters seemed to have agreed with him.
The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, was a California ballot proposition that was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020. This proposition expands California’s consumer privacy law and builds upon the California Consumer Privacy Act (CCPA) of 2018, which established a foundation for consumer privacy regulations, with an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information.
The new CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA did not become “operative” until Jan. 1, 2023, applying to personal data collected on or after January 1, 2022. The CCPA is codified at Cal. Civ. Code § 1798.100 et seq., and the regulations are found at 11 CCR §§ 999.300 et seq.
CPRA did not replace the CCPA. The CPRA is more accurately described as an amendment of the CCPA. The California Privacy Protection Agency is a new agency, created by the CPRA, which is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA.
CPRA eliminated the California Consumer Privacy Act’s (CCPA) exemption for employee personal information. Workers now have the same rights as any consumer. This includes requirements that are currently in effect under the CCPA as well as the new requirements added under the CPRA.
CPRA applies only to employees that are California residents, based on the definition of consumer. Businesses with a presence in multiple jurisdictions in the United States can consider applying a uniform approach, but should keep in mind employment laws in those other jurisdictions and any applicable data privacy laws in other jurisdictions. Notably, recent comprehensive data privacy laws passed in Virginia, Colorado, Utah and Connecticut exempt personal data collected in the context of employment.
Employers must provide notice of employees’ rights under the CPRA and give employees a way to tell the employer about their exercise of these rights. The employer has limited time to respond to a request and must properly document all responses.
Business-to-business transactions are now subject to the CPRA. It is not clear how this will apply to worker’s compensation claims administrators who receive information from an employer.
In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation). In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure.
Consumers may also seek injunctive or declaratory relief, as well as any other relief the court deems proper. Businesses may also be subject to an injunction in actions brought by the Attorney General.
In this case, plaintiffs are Ventura County, California firefighters and law enforcement officers who (except for one plaintiff) are members of two unions, the Ventura County