The CPRA Employer Action Items
California’s Third District Court of Appeals recently vacated a lower court decision that had stayed the implementation of regulations under the California Privacy Right Act (CPRA) and held that the California Privacy Protection Agency (CPPA), the state agency in charge of enforcing the CPRA, may begin enforcing its regulations immediately.
Employers with employees in California should review the CPRA regulations to ensure that their company is compliant.
Employee data falls within the scope of the CPRA. There is no exemption for workforce members. Thus, information from a person acting as job applicant, employee, owner, director, officer, medical staff member, or independent contractor of the business, now falls under the regulations. This includes emergency contact information of that person as well as information necessary to administer benefits of that person. The regulations are effective immediately, including the requirement to provide certain privacy notices in various situations. Also, regulations that are still in draft form will become effective upon finalization.
Note that personal information subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or the Health Insurance Portability and Accountability Act (HIPAA) will not be subject to the CPRA. However, employee personal information that falls outside the scope of these laws are subject to the CPRA.
Summary
The Third District Appellate Court ruling concerned the implementation of the CPRA, which was approved by California voters by passing Proposition 24 in November 2020. Proposition 24 amended and expanded the California Consumer Privacy Act of 2018 (CCPA), a far-reaching law that was passed by the state legislature to protect consumers’ privacy rights by providing consumers with meaningful control over how their personal information is collected, used, and disclosed by a covered business.
The statutory deadline for implementing regulations under the CPRA was July 1, 2022. Ultimately, final regulations on seven of 15 delineated subject matter areas were issued on March 29, 2023 (additional regulations are in draft form pending finalization). The California Chamber of Commerce sought a writ petition to delay implementation of the regulations for one year because businesses needed more time to comply, the CPPA had missed its deadline and some of the regulations were still in draft form. The lower court agreed and stayed enforcement for a period of 12 months from the date an individual regulation becomes final. This appellate court decision reversed the lower court ruling.
More Information
The Third District Court of Appeals decision describes the chronological events leading up to its stay of the lower court decision and is available here. The CPRA regulations can be found here. A detailed summary and action steps for compliance from the law firm of Fisher Phillips is available here.
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
