• SiteLock

Home Employment Law California Privacy Act for Employees

California Privacy Act for Employees

California is ramping up to make significant changes to its consumer protection laws. Specifically, a new law will provide protections to employees who were previously exempted from such laws.

Employers are expected to have policies and procedures in place before the effective date of the new law. Employees whose rights are violated may have grounds to file a complaint against their employer and be awarded financial damages.

Overview of the Privacy Act for Employees

The California Privacy Rights Act (CPRA) overrides the “HR exemption” carved out of the California Consumer Privacy Act (CCPA). Therefore, many businesses that were previously exempt from the requirements of the CCPA will now be subject to its provisions. Covered businesses will need to update policies and processes to comply with the new law by the effective date.

Under the CCPA and, by extension, the CPRA, businesses must identify, at or before they collect it, certain information they will collect from employees, whether the employer can sell or share collected information, whether the company will collect sensitive personal information, and any applicable retention periods.

In addition to providing information to employees about the information they will collect, employers must also provide a privacy notice about how information collected within the 12 months prior to the effective date of the policy was used and how employees can request information pertaining to the collection.

Employees have a right to request to exercise rights, including the right to request:

  • Disclosure of the identification of the information that was collected on them, to whom the information was disclosed, and what information was sold or shared and to whom.
  • Deletion of personal information that was collected about them
  • Correction of personal information that was collected about them and that is not accurate
  • Limitation of the use of sensitive personal information
  • Instruction that the employer not sell or share their information

Employers will only have a limited amount of time to respond to such requests. Employers must respond to requests to exercise rights to know, correct, or delete information within 45 days.

The CPRA requires covered businesses not to retain personal information for longer than is reasonably necessary. The CPRA and CCPA contain anti-discrimination language, which includes the right not to be retaliated against by exercising the rights provided by the CPRA. The California Privacy Protection Agency is a new regulatory agency that has been created by the CPRA. It is responsible for drafting and implementing CPRA regulations.

To Whom Does the Law Apply?

The requirements of the CPRA apply to all covered businesses, which include a business in California that meets any of the following conditions:

  • Has annual gross revenue in excess of $25 million for the previous calendar year
  • Annually buys, sells, or shares personal information of 100,000 or more consumers or households
  • Derives at least half of its annual revenue from selling or sharing personal information

Consumers that may be affected by covered businesses by the CPRA include:

  • Employees
  • Independent contractors
  • Dependents
  • Applicants
  • Board members
  • Emergency contacts
  • Beneficiaries

Changes to Existing Law

Some of the most significant changes imposed by the new law include:

  • The CPRA eliminates the employee exception under the CCPA, so employees and those related to them will have the same rights as any other consumers.
  • Employees must be provided notice of their rights under the CPRA, which should state that employees have the right to access their personal information and to be informed of which personal information about them is sold or shared and to whom.
  • Employees may request their employer disclose the personal information that has been collected on them and can request the information be deleted or corrected.
  • Employees can direct the company not to sell or share their personal information.
  • Employers will have a limited amount of time to respond to an employee’s request.
  • Business-to-business transactions will be subject to the CPRA.
  • More robust data privacy protections must be put in place to protect sensitive personal information, such as an employee’s Social Security number or account log-in details.

When Does This Law Go into Effect?

The California Privacy Rights Act is January 1, 2023. All covered employers are expected to comply with the new law by that date.

Contact an Experienced Employment Law Attorney for Help

If you are concerned about the personal information that your employer has collected on you or someone attached to you or if you have been denied a request to access such information, do not hesitate to reach out to SANFORD A. KASSEL, a Professional Law Corporation. Our knowledgeable employment law attorneys stay updated on the most recent changes in the law. We encourage you to contact our office for a confidential case consultation.

SANFORD A. KASSEL, A Professional Law Corporation

Sanford A. Kassel is one of San Bernardino's preeminent trial lawyers. He has the resources, expertise and raw talent to handle even the most complex personal injury, medical malpractice, wrongful death, and employment law cases throughout Southern California. Sanford has maintained his offices in San Bernardino since he began practicing law in 1981. He is second generation of a multi-generational family of the Kassel/Katz Family of lawyers in the Inland Empire, whose experience spans over 50 years.

Comments are closed.