New Changes to California Privacy Rights Act Compliance

By Sean Nalty © Ogletree Deakins October 12, 2022
LIKE SAVE
hands on keyboard with locks

​The compliance date for the California Privacy Rights Act (CPRA) is Jan. 1, 2023. There are significant changes from the current law, the California Consumer Privacy Act (CCPA), including the following:

  • The CPRA no longer includes the employee exception, which means that California employees, applicants, emergency contacts, beneficiaries, independent contractors, and members of boards of directors have the same rights as any other consumer. Generally speaking, employees may request that the company disclose to them the personal information collected on them and or request that this information be deleted or corrected. Employees may direct the company not to sell or share their personal information, and each employee has the right to limit the use of sensitive personal information. Employees have the right to access personal information and to know what personal information is sold or shared and to whom.
  • Employers must provide notice of employees' rights under the CPRA and give employees a way to tell the employer about their exercise of these rights. The employer has limited time to respond to a request and must properly document all responses.
  • The CPRA makes a distinction between "personal information" and "sensitive personal information." Personal information is "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." Sensitive personal information includes anything that reveals an individual's personal information, such as Social Security number, driver's license number, state identification card, passport number, account log-in, password, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership. The data privacy protections for sensitive personal information are required to be more robust than those used to protect personal information.
  • Business-to-business transactions are now subject to the CPRA.

Employers may want to confirm that they have procedures in place to meet the Jan. 1, 2023, compliance date under the CPRA.

Sean Nalty is an attorney with Ogletree Deakins in San Francisco. ©2022. All rights reserved. Reprinted with permission.

LIKE SAVE

SHRM HR JOBS

Hire the best HR talent or advance your own career.

SHRM’s SMALL-BUSINESS LEGAL RESOURCE

SHRM LegalNetwork members can quickly connect with attorneys on an unlimited number of topics for a low monthly fee.

SHRM LegalNetwork members can quickly connect with attorneys on an unlimited number of topics for a low monthly fee.

LEARN MORE

SPONSOR OFFERS

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.