The California Consumer Privacy (“CCPA”) was passed in 2018, regulating the collection, sale, and use of Personal Information. However, data collected and maintained about a business’ employees was exempted from most of the CCPA’s requirements. Now, amendments to the CCPA embodied in the California Privacy Rights Act (“CPRA”) become effective on January 1, 2023 and do directly impact employee Personal Information. The CCPA/CPRA protects California residents by requiring notices concerning the notice of sharing, sale, or use of Personal Information by businesses and employers. If California consumers and employees don’t want to share their data, then they can ask companies to remove their data.
The CCPA/CPRA is applicable to organizations and employers that fulfill any of these criteria:
- Their 50% of yearly revenue comes from selling personal data.
- The gross revenue of the business is over $25 million.
- They are collecting more than 100,000 users’ personal data.
Under the new law, California residents can also sue if their data gets leaked in an information breach. Organizations that are collecting personal data of their customers and employees should follow these new requirements.
There are several key questions California businesses should address to develop compliant notices and policies:
- How will the CCPA and CPRA affect your business?
- Do you store and map personal data?
- Do you inventory and track customer data?
- How do you process customer requests related to their personal data?
- Has your IT team updated your system to address the implementation of the new laws?
- Are you adequately protected from data breaches?
Hunt Ortmann is currently assisting clients in answering these questions, developing employee notices, and developing compliant website policies.