CPPA Finalizes CPRA Regulations – What Should You Know?

June 06, 2023

While the California Privacy Rights Act (CPRA) took effect on January 1, 2023, the looming July 1, 2023 enforcement date for violations and penalties is fast approaching. In February, the California Privacy Protection Agency (“Agency”), the regulatory body tasked with overseeing and enforcing the CPRA, finally voted to approve the finalized text of the regulations governing the CPRA after an extended rulemaking process.

As a refresher, the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, is a landmark state law that grants California residents certain rights and control over their personal information held by businesses.  Under the CCPA, personal information collected in an employee-employer relationship was exempted from coverage. The CPRA is an updated version of the CCPA that expanded data privacy rights by establishing an independent enforcement agency and introducing new requirements for businesses, including enhanced protections for sensitive personal information. Under the CPRA, the employee-employer exemption was removed, subjecting employers across the state to the requirements under the new legislation.

The finalized CPRA regulations (CPRA Regulations) encompass a variety of issues including businesses’ and employers’ handling of personal information, the sharing of information with third parties, added safeguards for sensitive personal information, interactions between consumers and businesses on the internet, as well as cybersecurity audits and enforcement procedures. The stated goal of the CPRA Regulations is largely focused on providing clarity and particularity regarding the enforcement of the CPRA.

The CPRA Regulations were substantively unchanged from the proposed regulations that were released in October of 2022, but the Agency emphasized that the CPRA Regulations would remain a work in progress and that future revisions to the regulations should be expected. The Agency specifically identified restrictions on the collection and use of personal information as an area where more exemptions could make sense, such as for statistical use of data as well as certain information related to employee benefits.

Although the substantive provisions of the CPRA became effective January 1, 2023, in anticipation of the July 1 enforcement date for violations and penalties under the CPRA, employers should be sure to review their policies regarding the CPRA and the key portions of the CPRA Regulations related to employee information obtained in the course and scope of employment:

Collection of Personal Information and Sensitive Personal Information

The CPRA creates notice requirements for employers who collect “Personal Information” and “Sensitive Personal Information.” Personal Information is defined as information that can reasonably be used to identify an individual (e.g. e-mail address, photo, IP address). Sensitive Personal Information is a subset of Personal Information which requires more robust privacy protections. Sensitive Personal Information is any data that reveals information such as social security numbers, driver’s license numbers, financial account information, precise geolocation, racial or ethnic origin, personal electronic communications, genetic data, and biometric information that uniquely identifies an employee.

Employers must provide a notice to employees at or before the time that Personal Information or Sensitive Personal Information is collected that includes:

  • A description of the categories of Sensitive Personal Information collected.
  • Whether the employer sells or shares the Personal Information.
  • The length of time the Personal Information will be retained by the employer.
  • A list of any third parties the employer uses to collect Personal Information or to whom the employer discloses Personal Information.

Employee Rights Under the CPRA

The CPRA Regulations also require that employers inform employees of the following rights related to the collection and use of Personal Information: 

  • The right to delete Personal Information collected from them.
  • The right to know what Personal Information and Sensitive Personal Information a business has collected about them and how it is used and shared.
  • The right to opt-out of the sale of their Personal Information.
  • The right to correct inaccurate Personal Information that a business has about them.
  • The right to limit the use and disclosure of Sensitive Personal Information collected about them.
  • The right to seek damages for breach of certain sensitive data.
  • The right to not be retaliated against for exercising any rights under the CPRA.

When an employee submits a request for information collected that is covered by the CPRA, employers must verify the request and acknowledge receipt within 10 days of receiving the request and must respond to the request within 45 days.

Penalties Under the CPRA

Violations of the CPRA could result in significant penalties: the CPRA allows for up to $2,500 per violation, or $7,500 for intentional and willful violations, with each impacted employee considered a separate and distinct violation. Significantly, the CPRA eliminated the 30-day cure window available under the CCPA, and instead granted the Agency discretion on whether to offer a cure period.

What Should Employers Do?

The CPRA and the CPRA Regulations drastically impact the way that employers collect, use, and store data that it collects from its employees. In preparation for the enforcement date of July 1, 2023, employers should be:

  • Evaluating current data collection policies and procedures.
  • Reviewing current Privacy Policy and Notice at Collection for Consumers.
  • Implementing appropriate data retention and privacy policies. 
  • Including specific CPRA provisions in any contracts with vendors that handle Personal Information. 
  • Developing a procedure for accepting and evaluating employee requests concerning the collection of Personal Information. 

Given the novelty of the CPRA and the uncertainty surrounding its enforcement, Haynes Boone will continue to monitor how the Agency enforces the CPRA, updates the CPRA Regulations, as well as any other developments related to the CPRA.

Please contact the authors of this post or your Haynes Boone attorney should you have any questions or would like to discuss the impact of the CPRA on your business.