The California Privacy Rights Act (CPRA) and What Employers Need to Know

Posted on

By: James K. Paulick, Esq.

The CPRA goes into effect on January 1, 2023

Click on the button below to print this infographic. This infographic is optimized to print on Letter (8.5 x 11″) size paper.

DOWNLOAD THE INFOGRAPHIC

Interested in learning more about the CPRA? Register for our August 11 Webinar here.

You may already be familiar with the current California Consumer Privacy Act (CCPA), which is a law requiring businesses to meet certain standards regarding the collection and retention of all personally-identifiable data of customers, but not employees.

The California Privacy Rights Act (CPRA) is a major overhaul of the CCPA. The CPRA, along with most of the current CCPA provisions, broadened many of the rights afforded to consumers; added additional due diligence requirements for the sharing of personal information with third parties, service providers and contractors; and expanded its definition of personal information to include employee personal data. If you are an employer covered by the CCPA who currently has any California job applicants, employees, owners, directors, officers, medical staff members, or independent contractors, the CPRA will apply to you.

Which Businesses Have to Follow the CCPA?

Currently, businesses are required to follow the CCPA if they are a for-profit company that does business in California. “Doing business” also means offering products – you don’t have to actually have a store in California or be incorporated in the state.

If you do business in California, and you meet any of the following, you are bound by the CCPA:

  • You have ≥$25 million in annual revenue; or
  • You collect/store/analyze, or otherwise use or process, the personal information of 100,000 or more California residents or households; or
  • You derive at least 50% of your annual revenue by selling or sharing the personal information of California residents.

Top 4 Things Every Company Must Do To Comply with the CPRA

  1. Give privacy practice and disclosure notices to all California residents who are job applicants, employees, owners, directors, officers, medical staff members, or independent contractors.Privacy practice and disclosure notices should detail the categories of information collected, the purpose of collection, disclose the use of the information, outline data retention periods, and describe the employee rights of access, deletion, modification, non-discrimination and portability. Businesses must also disclose whether they use automated decision-making software to process their personal data, such as profiling their work habits.
    .
  2. Review and update contracts and service agreements with vendors, contractors and service providers to include required data protection provisions to ensure the proper handling of personally identifiable information that may be shared.
    .
  3. Implement additional data governance practices, including data mapping company systems that store employee data, such as human resource information systems and databases. Many of these systems have moved to cloud-based models, which leads to major questions, such as:
    • Does the company have an adequate data protection/processing agreement with their HR system provider?
    • Is the data encrypted?
    • Does the company really need all the data they collect?
    • What is the retention period?
      .
  4. Analyze your cyberinsurance policy and confirm it is adequate to handle the additional risks of enforcement/breach, now that the employee data is actionable via the state of California or private causes of action.

This article is by no means a comprehensive review of the impact that CPRA will have on your business. How the CPRA will affect your business depends on many different factors and circumstances.

For assistance with complying with the CCPA or CPRA, contact James K. Paulick at jpaulick@leechtishman.com or 412.261.1600. Jim is Counsel with Leech Tishman and a member of the Corporate Group, where he co-leads the Data Privacy & Cybersecurity Group.

Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman

Leech Tishman’s Twitter: https://twitter.com/LeechTishman

Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman

Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, emerging cyber technologies, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, and Washington, D.C.