Legislative Updates

California Privacy Law – What Employers Need to Know?

06.09.2021

Emptech's founder, Jeff Aleixo

Author

Jeff Aleixo

California Privacy Laws

Despite the far-reaching consequences of the COVID-19 pandemic, California privacy law continues to evolve. Apart from the California Consumer Privacy Act (CCPA), there is a new statewide ballot initiative, the California Privacy Rights Act (CPRA), which would modify and build onto the CCPA. In addition to this, 2020 has brought new privacy legislation signed into law or vetoed by Governor Newsom. This amount of activity in the area of privacy rights proves that there will be more developments on the way. Therefore, businesses need to prepare and take the necessary steps to comply with varying California privacy law.

California Consumer Privacy Act Enforcement

When the California Consumer Privacy Act enforcement period started on August 14, 2020, many companies expected that the final regulations were in place. However, the California Attorney General’s office released a third set of proposed modifications to the CCPA Regulations on October 12, 2020.

This third set of proposed modifications of California privacy law makes the following revisions to the regulations:

  • Requiring businesses that interact with consumers offline to provide notice of the right to opt-out through an offline method and giving examples of such methods,
  • Requiring the methods for submitting requests to opt-out to be easy for consumers to execute and require minimal steps to opt-out. This includes not requiring consumers to provide information that is not necessary to implement the request,
  • Clarifying how businesses may require authorized agents and consumers to submit proof to verify their request, and
  • Clarifying that businesses subject to either Rules Regarding Consumers under 13 Years of Age, Rules Regarding Consumers 13 to 15 Years of Age, or both of these sections are required to include a description of the processes set forth in those sections in their privacy policies.
Use a range of cloud solutions to comply with various data security laws and compliance standards, allowing you to stay ahead of constantly changing regulations.

CPRA as the Newest Addition to California Privacy Law

In addition to dealing with CCPA compliance, there is a new set of data privacy requirements to prepare for. As a new addition to California privacy law, the CPRA would amend and expand the CCPA, keeping certain provisions in place while also revising or adding new ones.

Highlights of the CPRA include:

  • Creating an independent agency, California Privacy Protection Agency, with authority and jurisdiction to implement and enforce the CCPA;
  • Introducing a new category of personal information called sensitive personal information, encompassing health data, sexual orientation, race, origin, geolocation, financial data, genetic data, biometric data, social security number, driver’s license, etc.;
  • Attempting to address whether opt-out rights applicable to data sales apply to the sharing of personal information for behavioral advertising;
  • Modifying the definition of a business to include those businesses that collect information of 100,000 California consumers or households;
  • Giving consumers additional rights such as the right to correct their data, right to not be retaliated against for exercising their rights, right to prevent companies from storing the data longer than necessary, right to opt-out of companies tracking precise geolocation within less than 1/3 of a mile, etc.;
  • Leaving in place the CCPA’s private cause of action for data breaches, but adding consumer login credentials to the types of data that trigger the private right of action.
Get a detailed description of the California Privacy Rights Act and find out what changes it introduces to start building a proper compliance system on time.

Extension of the CCPA’s Exemptions for Employee and B2B Data

Under the CCPA, certain data collected about employees and job applicants, and data collected about individuals acting as points of contact in business-to-business relationships are exempted from most of the requirements. However, those exemptions were set to expire at the end of 2020, unless some action was taken.

That is why the legislature passed two amendments that will affect California privacy law:

Ensuring Compliance with California Privacy Law

2020 has given businesses a lot to deal with, including new additions to California privacy law and compliance, and there is much more to come. Given these developments, it is more and more likely that other states will draft their own data privacy laws in the near future. Therefore, it is necessary that businesses put mechanisms in place to support them as soon as possible.

The best way for businesses to align their data security and privacy practices with California privacy law, as well as other privacy laws looming on the horizon, is to integrate proper programs and technologies. This would allow them to classify personal data, protect it, and monitor and analyze for threats, thus ensuring constant and simplified compliance.

The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.