The CCPA And CPRA: New Privacy Rules In Force For Businesses And Employers Beginning January 1, 2023

The California Consumer Privacy (“CCPA”) was passed in 2018, regulating the collection, sale, and use of Personal Information.  However, data collected and maintained about a business’ employees was exempted from most of the CCPA’s requirements. Now, amendments to the CCPA embodied in the California Privacy Rights Act (“CPRA”) become effective on January 1, 2023 and do directly impact employee Personal Information. The CCPA/CPRA protects California residents by requiring notices concerning the notice of sharing, sale, or use of Personal Information by businesses and employers. If California consumers and employees don’t want to share their data, then they can ask companies to remove their data.

The CCPA/CPRA is applicable to organizations and employers that fulfill any of these criteria:

1. Their 50% of yearly revenue comes from selling personal data.
2. The gross revenue of the business is over $25 million.
3. They are collecting more than 100,000 users’ personal data.

You should first understand if the CCPA/CPRA is applicable to your business. If it is applicable to your business, then you should ensure that you are properly following it by creating a Privacy Disclosure Notice and a website “Privacy Policy.” These notices must contain specific information as set forth in the statutes and the ever-changing regulations. The fines for violation of the CPRA can reach $7500 per violation and require a payment of $750 per affected user. You can avoid these violations by ensuring that you are CCPA/CPRA compliant.

Under the new law, California residents can also sue if their data gets leaked in an information breach. Organizations that are collecting personal data of their customers and employees should follow these new requirements.

There are several key questions California businesses should address to develop compliant notices and policies:

1. How will the CCPA and CPRA affect your business?
2. Do you store and map personal data?
3. Do you have a privacy policy on your website and to provide to employees?
4. Do you inventory and track customer data?
5. How do you process customer requests related to their personal data?
6. Has your IT team updated your system to address the implementation of the new laws?
7. Are you adequately protected from data breaches?

Hunt Ortmann is currently assisting clients in answering these questions, developing employee notices, and developing compliant website policies.

Please contact JoLynn Scharrer at scharrer@huntortmann.com for further information and assistance.