The California Privacy Rights Act: An Overview

The California Privacy Rights Act (CPRA) provides comprehensive regulation of the personal information (PI) of California residents. PI includes any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Quick Hits

• The California Privacy Rights Act applies to all California resident consumers, including job applicants and employees, and it also applies to business-to-business transactions.
• Employees can sue their employers for data breaches, and under certain circumstances, employees can bring a class action-type lawsuit.
• Companies that collect personal information from California resident consumers and have annual gross revenues in excess of $25 million companywide are required to comply with the CPRA.

Overview

The CPRA applies to all California resident consumers, including job applicants and employees, and it also applies to business-to-business transactions. Like other consumers, an employee can sue an employer for a data breach, and, under certain circumstances, can bring a class action-type lawsuit. The court will consider efforts to comply with the CPRA in considering damages or other relief to award in such a lawsuit. Finally, the California attorney general is currently enforcing the CPRA and can levy administrative fines. Companies that annually buy, sell or share the personal information of 100,000 or more California resident consumers, have more than $25 million in annual gross revenue companywide, or derive 50 percent or more of annual revenues from selling or sharing consumers’ personal information are required to comply with the CPRA.

Generally speaking, CPRA compliance requires the following:

• Implementing reasonable security measures to protect PI from unauthorized access, exfiltration, and/or theft.
• Putting in place procedures to promptly and properly respond to data breaches.
• Preparing, posting and distributing CPRA notices to California resident consumers. “Consumer” is defined as “a natural person” residing in California, including job applicants, employees, the beneficiaries and emergency contacts of employees, independent contractors, owners and members of the board of directors. Businesses are required to provide a notice that includes a description of the categories of PI collected, the business purpose for collecting it, how long the PI is retained, and the categories of third parties to whom the PI is shared and or sold.
• Putting in place a Consumer Access Request procedure so that consumers, including employees, can exercise their rights under the CPRA. This involves verifying and responding to requests to disclose, delete, and correct PI, requests to limit the distribution of PI, and the right to opt out of the sale or sharing of PI.
• Making sure that vendors and service providers that receive PI from the company comply with the CPRA.
• Preparing a California-specific privacy policy.
• Providing employees who handle personal information training on the CPRA.
• Making sure that consumers, including employees, are not discriminated against for exercising their rights under the CPRA.

Sean P. Nalty is an attorney with Ogletree Deakins in San Francisco. © 2024 Ogletree Deakins. All rights reserved. Reposted with permission.