On November 3, 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act of 2020 (CPRA). Proposition 24 expands on the existing California Consumer Privacy Act of 2018 (CCPA) in several ways that affect employers doing business in California, who may now be required to be in compliance with the CPRA, or what some are calling “CCPA 2.0.”
Prior to the passage of Proposition 24, the original CCPA enacted in 2018 afforded California consumers and employees rights over how and whether the personal data they provide to businesses is collected, retained, and sold. Because the CCPA’s definitions are broad, employee data that employers collect for employment purposes was included. Generally speaking, the CCPA applied to either (1) for-profit businesses with over $25 million in gross revenues that conduct business in California and collect personal information of California residents; (2) businesses that give, receive, sell, or share personal information of 50,000 or more California residents for commercial purposes; or (3) businesses that derive 50 percent or more of their annual revenue from selling California residents’ personal information. The businesses do not require a physical presence in California.
In 2019, the California legislature passed Assembly Bill 25 (AB 25), which largely exempted employers from the requirements to protect employee information under the CCPA for one year through January 1, 2021. In 2020, the state assembly passed AB 1281, replacing AB 25, extending the exemption for employee personal information from most requirements of the CCPA to January 1, 2022.
On the heels of passing AB 1281, California voters approved Proposition 24, which extended the exemption for employers to January 1, 2023. The CPRA also expanded existing privacy rights under the CCPA. Effective January 1, 2023, businesses are responsible for taking additional steps to protect private information, including, without limitation:
Additionally, CPRA establishes the California Privacy Protection Agency (CPPA) to enforce the CCPA and CPRA beyond the state’s Attorney General’s Office. This is particularly pertinent for businesses, as the law also removes the ability of businesses to fix certain violations before being penalized for those violations.
That said, Proposition 24 will not be the “last word” on California consumer privacy rights. The California Attorney General’s Office and the CPPA must promulgate proposed final CPRA regulations no later than July 1, 2022.
While covered California employers subject to the CCPA and CPRA may rest easier knowing that they are exempt from compliance of these privacy laws until January 1, 2023, they should continue to monitor developments on the CPRA to determine if they need to make any changes to the storage and maintenance of personal information or to their privacy policies and practices in general. Goldberg Segalla’s Employment and Labor and Cybersecurity and Data Privacy practices are ready to help employers determine whether they need to be compliant with this emerging area of privacy and employment law.
For more information or immediate guidance, contact: