CPRA Final Regulations Approved

The Office of Administrative Law approved the long-awaited regulations for the California Privacy Rights Act (CPRA) with an effective date of March 29, 2023.

The CPRA’s amendments to the California Consumer Privacy Act (CCPA) went into effect on January 1, 2023, and the final regulations clarify the requirements under the amendments. These amendments also removed the exemption for workforce personal information to be exempt from the CCPA consumer data privacy amendments. Workforce members include California applicants, employees, and independent contractors. The CPRA applies to all businesses (regardless of location) with annual gross revenues exceeding $25 million or who buy, sell, or share consumers’ personal information at certain thresholds.

Workforce members are entitled to certain consumer rights regarding their personal information:

1. The right to know what personal information is collected and how it is used;
2. The right to correct incorrect personal information;
3. The right to delete personal information;
4. The right to opt-out of the sale or sharing of sensitive personal information;
5. The right to limit the use of sensitive personal information; and
6. The right to be free from retaliation or discrimination for the exercise of these rights.

These rights have certain limitations, especially in an employment setting. Employers, for example, do not have to comply with a rights request if the information needs to be retained to comply with other applicable laws. Employers should not wait for the final regulations to be approved to move ahead with compliance since there are a number of complicated requirements.

Employers will need to complete a data inventory of all of their workforce personal information. This includes locating the data, and identifying the storage format, storage method, and storage location as well as the physical location. This process must also be repeated amongst any vendors or third parties with whom employers share or sell any workforce personal information. Once personal information is identified, it must be categorized based on its type and business purpose or use as stated in the CPRA. Employers also need to create and update privacy policies as well as notices to provide to workforce members at the point personal information is collected. Contracts with third parties must also include language referencing the third parties’ obligations under the CPRA.

Employers must create an internal process for directing workforce members who want to exercise their consumer rights to the submission methods for such requests and responding to a rights request. In addition, employers must train the employees responsible for managing workforce personal information and responding to rights requests on the basic requirements of the CPRA as well as its specific privacy policy, notice requirements, and rights request submission and response methods. Employers must retain records relating to any rights request submissions and responses for 24 months or as required under other applicable law.

Many of the obligations under the CPRA require specific knowledge about each individual business’ personal information collection, use, and storage practices. The final regulations can be reviewed here once the California Privacy Protection Agency processes the final documents.

Action Items:

• Locate and map all workforce personal information.
• Draft notices of collection and privacy and retention policies for workforce personal information.
• Train appropriate personnel on directing workforce members on how to exercise their consumer rights and responding to rights requests.
• Review notices, policies, procedures, and third-party contracts with legal counsel.
• Review the CPPA’s website for more information.

Looking for additional compliance guidance? Register for the upcoming 30-Minute Quarterly Compliance Recap for Employers.