New Changes to California Privacy Rights Act Compliance
#Sean Nalty © Ogletree Deakins
|
|
By Sean Nalty © Ogletree Deakins
October 12, 2022
|
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
Image Caption
Page Content
The compliance date for the California Privacy Rights Act (CPRA) is Jan. 1, 2023. There are significant changes from the current law, the California Consumer Privacy Act (CCPA), including the following:
- The CPRA no longer includes the employee exception, which means that California employees, applicants, emergency contacts, beneficiaries, independent contractors, and members of boards of directors have the same rights as any other consumer. Generally speaking, employees may request that the company disclose to them the personal information collected on them and or request that this information be deleted or corrected. Employees may direct the company not to sell or share their personal information, and each employee has the right to limit the use of sensitive personal information. Employees have the right to access personal information and to know what personal information is sold or shared and to whom.
- Employers must provide notice of employees' rights under the CPRA and give employees a way to tell the employer about their exercise of these rights. The employer has limited time to respond to a request and must properly document all responses.
- The CPRA makes a distinction between "personal information" and "sensitive personal information." Personal information is "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Sensitive personal information includes anything that reveals an individual's personal information, such as Social Security number, driver's license number, state identification card, passport number, account log-in, password, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership. The data privacy protections for sensitive personal information are required to be more robust than those used to protect personal information.
- Business-to-business transactions are now subject to the CPRA.
Employers may want to confirm that they have procedures in place to meet the Jan. 1, 2023, compliance date under the CPRA.
Sean Nalty is an attorney with Ogletree Deakins in San Francisco. ©2022. All rights reserved. Reprinted with permission.
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in as a SHRM member.
Please purchase a SHRM membership before saving bookmarks.
SHRM HR JOBS
Hire the best HR talent or advance your own career.