California Privacy Rights Act (CPRA) – Heightened Employer Obligations Coming in 2023

by Dylan Rupchock

The California Privacy Rights Act (“CPRA”) goes into full effect on January 1, 2023, and amends and extends the privacy rights afforded to California residents under the California Consumer Privacy Act (“CCPA”). Most notable for employers is that the CPRA will eliminate the CCPA’s exemptions that apply to employee data and businesses subject to the CCPA will now have to comply with obligations with respect to employee data as well.

Is my business subject to the CCPA?

New for 2023 are heightened thresholds for who is considered a covered business under the CCPA. Going forward, businesses who meet any one of the following requirements will be subject to California’s amended and amplified CCPA:

  • As of January 1, of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year.
  • Alone or in combination, annually buys, sells, or shares[1] the personal information of 100,000[2] or more consumers or households.
  • Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

As a small business, am I off the hook?

Likely for now, but stay tuned… While the amendments to the CCPA have resulted in heightened thresholds for businesses presently, it is possible that we could see these qualifying factors reduced in the near future to encompass more businesses.

In addition, if your business receives personal information from a covered business, you may find yourself bound to the obligations of the CCPA through agreements with your business partners. The CCPA obligates covered businesses who sell, share, or disclose personal information to a third party (this could be your business) to enter into an agreement with the third party obligating the third party to comply with applicable obligations under the CCPA and to provide the same level of privacy protection as required by the CCPA.

This means, even if you are not a covered business under the CCPA, you may nonetheless find yourself bound to the CCPA’s obligations and consumer protections  to the extent you receive personal information from or are a service provider to a business who is covered by the CCPA.

So, what are the big changes for 2023?

Say goodbye to employee exemptions

For employers, the biggest change of note is that job applicants, employees, and independent contractors will no longer be exempt from the CCPA. This means that they are entitled to the entire gambit of consumer rights and further that businesses will need to contemplate how they are utilizing employee data when crafting their privacy policies.

With the exemption disappearing, covered businesses will now have to provide a notice at collection to job applicants and employees. Employers will need to be creative in providing this notice. If the business does not have an up-to-date privacy policy which could serve as a notice at collection it will likely need to provide written notice to its applicants and employees in order to meet its CCPA obligations.

Purpose limitation

The CPRA also adds an explicit, overarching purpose limitation obligations on covered businesses. The CCPA will now require that a business’ collection, use, retention, and sharing of consumer’s personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

Businesses therefore should ensure that any automatic collection or use of personal information that is occurring presently, is indeed connected to the purpose for which it is being collected or used and not simply for an unidentified reason.

New category added (Sensitive Personal Information)

The CPRA also added a new category of personal information, “sensitive personal information.” There are a variety of new rights and obligations which attach to this specific type of information. To summarize, “sensitive personal information” includes things like racial origin, religious beliefs, sexual orientation, health information, precise geolocation, and the contents of a consumer’s mail, email, and text messages.

Security Procedures

Businesses will now be required to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure. This is a particularly important business obligation as the CCPA provides consumers a private right of action if their personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.

New Consumer Rights

Right to Correct Inaccurate Information:

The CPRA introduces a new right for consumers to request that a business correct inaccurate personal information. Businesses have an obligation to disclose information about this right to consumers in its privacy policy.

Right to Limit Use and Disclosure of Sensitive Personal Information

With the introduction of “sensitive personal information” comes a new consumer right. Consumers now have the right to direct a business to limit its use of “sensitive personal information” to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services,” or for the performance of specific enumerated business purposes.

Creation of the California Privacy Protection Agency

The CPRA also created a new agency tasked with enforcing California consumer privacy laws. On July 1, 2023, the Agency will begin enforcing the civil and administrative obligations added by the CPRA, which can only apply to violations occurring on or after this date. For businesses this means that despite CPRA’s enhanced obligations becoming effective January 1, 2023, businesses have until the end of June 2023 to bring their policies into compliance prior to enforcement.

What should I be doing to prepare?

  • Covered businesses should seek to clearly understand what heightened privacy obligations they have toward consumers under the new CPRA regulations.
  • Employers should start looking at employment related personal information in the context of the CCPA and undertake data inventory/data mapping exercises.
  • Ensure that your business is providing its employees/job applicants with a notice at or before the time of collection of personal information, and that such notice meets the requirements of the new CCPA.
  • If you are not a covered business but do business with one, it would be prudent to begin becoming familiar with the CCPA as it is likely you may encounter its obligations through agreements with your business partners.

[1] “Sharing” is a defined term in the CCPA which deals with the sharing of personal information to a third party for “cross-context behavioral advertising.”

[2] Prior to 2023 the figure was 50,000 or more consumers or households.