California Employers Get Ready: Expanded Privacy Compliance Begins in 2023

For the past few years, California’s comprehensive privacy law known as the California Consumer Privacy Act (CCPA) included an important partial exemption for employees, applicants, and independent contractors, collectively known as workforce members. The California Privacy Rights Act, which amended the CCPA, extended that exemption through Dec. 31.

While many expected the exemption would be extended, the current California legislative session ended on Aug. 31 without a bill to do so. The failure to get an extension across the legislative finish line leaves CCPA-covered businesses with not much time to begin expanding their CCPA compliance efforts.

Currently, compliance with respect to workforce members and certain others is limited. It includes, in general, providing a notice at or before the time of collection of personal information and maintaining reasonable safeguards to protect certain personal information.

By comparison, employers will need to, among other things, expand their privacy policy to address workforce members and be ready to respond to the requests of workforce members concerning their rights under the CCPA, including the right to delete their personal information.

Another exemption, known as the B2B exemption, generally excluded the personal information of individuals in their capacities as representatives of entities doing business with CCPA-covered businesses. It appears that exemption also will cease to apply in California on Jan. 1, 2023.

For employers wondering if this applies to them and what needs to be done next, our FAQs provide some helpful information, addressing questions such as:

  • Which businesses does the CCPA/CPRA apply to?
  • What is personal information under the CCPA?
  • Does the CCPA apply to employee/applicant data?

Key steps for compliance will include, among other things:

  • Getting a better handle on the personal information collected, used, retained, and disclosed about workforce members.
  • Updating the business’ privacy policy.
  • Updating agreements with service providers.
  • Training staff on responding to requests from workforce members concerning their privacy rights under the CCPA.

It is worth noting that the other four states with comprehensive privacy laws – Colorado, Connecticut, Utah, and Virginia – all have excluded the personal information of individuals when acting in an employment or commercial context.

Joseph J. Lazzarotti and Jason C. Gavejian are attorneys with Jackson Lewis in Berkley Heights, Calif. Sean Paisan is an attorney with Jackson Lewis in Irvine, Calif. Rob Yang is an attorney with Jackson Lewis in San Francisco. © 2022. All rights reserved. Reprinted with permission. 

Leave a Reply

Your email address will not be published. Required fields are marked *