California Employers Prepare for Implementation of CPRA Compliance Program

California Employers Prepare for Implementation of California Privacy Rights Act

After months of uncertainty, the rulemaking process for the California Privacy Rights Act (CPRA), the first-ever comprehensive U.S. data privacy law applicable to HR data, concluded on March 29. California employers can now put the finishing touches on required notices and policies, distribute them, and take the necessary steps to implement their compliance program.

Under the prior law, the California Consumer Privacy Act (CCPA), HR data was mostly excluded except for a brief notice at collection requirement for applicants and employees in California. However, with the CPRA going into effect on Jan. 1, this exemption for HR data was eliminated, requiring employers to post an online privacy policy, include specific language in contracts with service providers, and establish procedures for individuals to exercise their new data rights.

The CPRA established a six-month grace period on administrative enforcement through June 30, providing employers with time to ramp up their compliance efforts without fear of litigation. The final CPRA regulations allow for combining the notice at collection and privacy policy into one document, as long as the necessary information is included and easily accessible.

Additionally, the CPRA lists specific clauses that must be included in agreements with vendors handling employees’ personal information, with the final regulations adding requirements related to the purposes of use. The regulations also outline various data rights for individuals, including the right to delete personal information, correct inaccuracies, know how their information is used, opt out of sales and sharing, and limit the use of sensitive personal information.

Employers must comply with new notification and disclosure requirements when responding to data rights requests, including explaining the basis for denial and confirming receipt of requests within a specific timeframe. The regulations also clarify requirements for complying with opt-out preference signals and limit the disclosure of certain highly sensitive personal information.

As the enforcement of the CPRA may follow a similar approach to the CCPA, employers are advised to finalize their privacy notices, vendor agreements, and policies to ensure compliance with this new law. With the deadline approaching, California employers are gearing up to meet the requirements of the CPRA and protect the privacy rights of their employees.