In a stock purchase transaction, the outstanding stock of the target company is transferred directly by its stockholders to the purchaser, with a stock purchase agreement serving as the primary governing...
Recreational cannabis continues to gain in popularity as more states legalize its use. To meet this growing demand, an increasing number of landlords are renting space to cannabis retail businesses. Both...
This practice note explains whether and how drug, medical device, biologics, and other life sciences companies should include ADR mechanisms in their contracts to resolve commercial disputes. Read now...
Do you need to understand when a U.S. employer may have to comply with U.S. labor and employment laws extraterritorially and when a foreign employer with operations in the United States is responsible...
Read this new practice note by Daniel Swanson and Julian Kleinbrodt from Gibson, Dunn & Crutcher to get up to speed on antitrust risks in intellectual property licensing. Leverage legal strategies...
* The views expressed in externally authored materials linked or published on this site do not necessarily reflect the views of LexisNexis Legal & Professional.
By Kevin Hylton | LexisNexis Practical Guidance
The voters of California once again laid the foundation for a new compliance challenge for companies when they passed Proposition 24 back in 2020. This initiative, the California Privacy Rights Act (CPRA), expands California’s landmark consumer privacy law to establish even broader consumer protections and impose greater penalties on businesses that fail to comply.
The CPRA becomes fully operative on January 1, 2023, but it applies to personal data collected on or after January 1, 2022, so in essence there are a number of key provisions that have already taken effect. And importantly, it cannot be repealed by the state legislature.
One of the curious provisions of the new law is the creation of the California Privacy Protection Agency, a five-member panel that will oversee enforcement of the statute. The CPRA may be enforced beginning on July 1, 2023 — and only as to violations that occur on or after that date — but the practical reality is that implementation is running behind the schedule outlined in the law, which was passed by 56% of California voters.
“The deadline for promulgating regulations as set out under the CPRA has long passed, which means businesses are eager to receive finalized rules,” Law360 reported on Nov. 23, 2022. “In light of the Office of Administrative Law’s 30-day review period, the soonest companies will likely receive finalized regulations is at the end of January or February. However, depending on what transpires during the comment period and the following activity, this timeline may be further delayed.”
Regardless of the precise date of implementation and enforcement, the CPRA is a sweeping new law that will have important implications for any organization doing business in California. It allows consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ usage of sensitive personal information (e.g., geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information).
For employers, here is the troubling part: There is no exception made to data collected and stored for purposes of human resources management.
“The CPRA is a data privacy law that was written with the consumer in mind, but it applies very awkwardly to employers,” said Zoe M. Argento, shareholder at Littler, where she is co-chair of the firm’s Privacy and Data Security Practice Group. Argento represents and counsels clients on all aspects of workplace privacy and information security.
The CPRA applies to any organization that has one or more employees in California if the company made more than $25 million in revenue globally during the previous calendar year. It does not apply to non-profit organizations or government entities.
“In the U.S., employers have not had to deal with a comprehensive data privacy law like this before,” explained Argento. “For example, the existing California Consumer Privacy Act exempts HR-related data, except for certain circumstances such as data breaches. The CPRA now requires several elements of comprehensive protection of HR data, which is very burdensome and a lot of work for businesses.”
Argento identified some of the key requirements in the CPRA that employers need to understand:
“HR departments are handling a lot of sensitive information and very disparate types of information — everything from performance valuations and tax information to benefits and health data — and they’re already subject to a lot of demanding requirements for handling data in the HR context,” Argento said. “So the CPRA is really overlaying another demanding data regime on top of what is already a very complicated process for handling employee data.”
The CPRA does not apply to employees within an organization who do not work in California, but many legal observers are suggesting it might be wise to consider implementing a privacy policy that complies with the CPRA “since other states may follow California’s lead and pass employee data privacy legislation of their own,” according to ADP's HR blog.
I had the privilege of interviewing Argento on the latest episode of our “Practical Guidance: Data Privacy Series” podcast, where we invite experts to provide insights on timely data privacy and security issues facing legal practitioners. Listen now or download the episode regarding the employers who need to comply with the CPRA, what that compliance looks like, and a host of other pressing issues related to the CPRA.