California voters resoundingly approved Prop 24, also known as the California Privacy Rights Act (“CPRA”) and CCPA 2.0—yet again shaking up California’s privacy laws and making California the epicenter for digital privacy rights in the United States. This article answers questions about how the CPRA changes existing laws and impacts “sensitive personal information” maintained by businesses about their applicants, employees, and independent contractors.
When Does CPRA Take Effect?
The CPRA amends the current text of the California Consumer Privacy Act (“CCPA”) and goes into effect on January 1, 2023. Existing CCPA requirements remain in effect until then. Although the CPRA is not effective until 2023, CPRA includes a one-year “look-back provision” that will govern data collected starting January 1, 2022. Accordingly, many businesses will spend the next 12 months getting privacy practices, notices and workflows CPRA compliant.
Which Businesses Must Comply With the CPRA?
The CPRA amends the CCPA’s definition of a covered “business” to provide clarity and attempt to minimize its impact on small to medium sized businesses. The CPRA applies if a business collects personal information on California consumers, does business in California and meets one of the following thresholds: (1) had an annual gross revenue in excess of $25 million in the preceding calendar year; or (2) buys, sells or shares the personal information of at least 100,000 California consumers or households; or (3) derives at least fifty percent of its annual revenue from selling or sharing consumers’ personal information.
This definition of covered “business” includes businesses that are physically located outside of California if they meet one of the three thresholds.
How Will CPRA Impact Employee Privacy Rights?
The CPRA specifically provides “[t]he interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” (CPRA Sec. 8, Purpose and Intent.) The full scope of rights afforded to consumers under the CPRA will be extended to all applicants, employees, and independent contractors on January 1, 2023, unless the CPRA is further amended. Employees currently have the right to receive a notice at collection and right to sue if their sensitive personal information is breached. (See The Only Constant is Change: How Evolving Privacy Laws Impact Employers).
CPRA also introduces a new category of protected information that is a hybrid of the two definitions of “personal information” under CCPA. The CPRA defines “sensitive personal information” as personal information that reveals a variety of data elements, including a consumer’s social security, driver’s license or passport number, account login information, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, or union membership. Notably, sensitive personal information also includes the contents of a consumer’s email or text messages (unless the business is the intended recipient of the email or text message).
Sensitive personal information is regularly collected by businesses from applicants and employees to comply with other legal requirements like I-9 verification and EEO-1 filings. Until now, many of these data elements were not regulated. As Human Resources and Legal Teams begin mapping workforce data regulated by CPRA, it is important to properly classify and safeguard sensitive personal information. (See Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act). Several CPRA provisions also restrict the use and retention of sensitive personal information.
Who Will Enforce the CPRA?
Arguably, the most significant change the CPRA brings is the creation of a new and well-funded enforcement body focused solely on enforcing CCPA and CPRA—the California Privacy Protection Agency (the “Agency”). The CCPA currently charges the California Attorney General with issuing regulations and enforcing the CCPA. Like the FTC, the Attorney General is currently a complaint driven enforcement agency that takes action only after a consumer files a complaint. The Agency, on the other hand, will be proactively monitoring and auditing businesses for compliance with California privacy laws. The CPRA expands and shifts rulemaking and enforcement power to the Agency. This includes the authority to require businesses to submit annual privacy and security risk assessments and to audit those assessments. The Agency will be governed by a five-member board. The exact size and number of employees of the Agency is unknown but is expected to include dozens of enforcement agents and auditors. What is clear, however, is that the Agency will have at least a $10 million budget beginning in the 2021-2022 fiscal year.
Are More Changes Expected Before 2023?
Ballot initiatives traditionally can only be changed through a subsequent ballot initiative. The CPRA is unique in that it explicitly waives this requirement and allows the legislature to make amendments through a majority vote of both houses, signed by the Governor. However, any such amendments cannot “compromise or weaken consumer privacy.” (CPRA Secs. 3(C)(5) and 25(a)). If the future is anything like the past few years, we can expect more changes before CPRA goes into effect.
What Can You Do to Prepare?
Although we can’t control the privacy waves, we can learn to surf. For businesses just getting started on a privacy program, there are many more to-do items than those listed below. (See Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act). We suggest budgeting at least 6 to 12 months to become substantially compliant with the CPRA. Below is a checklist to build thoughtful and effective privacy and security programs to prepare for CPRA:
- Revise workforce disclosures to include new definitions and rights;
- Develop workforce request workflows for rights to access, receive, correct, and delete personal information;
- Map, classify and manage sensitive personal information;
- Manage workforce vendors including diligence and contractual indemnity; and
- Develop, enforce and audit document retention policies.
*Chelsea Staskiewicz is a law clerk and Garrett Stallins is an intern with Sheppard Mullin.