In a few months, certain businesses with California-based employees may face new data privacy requirements as an exemption to the Golden State’s comprehensive privacy and security statute sunsets. In recent years, state lawmakers repeatedly extended an exemption from the California Consumer Privacy Act (CCPA) relating to personal data collected in business-to-business transactions (B2B) and employee data. It came as a surprise on August 31 when the California legislature adjourned without passing one of the various bills that would have extended that exception.
Further legislative action on this point is increasingly unlikely as we enter the fall. As a result, the new requirements become effective on January 1, 2023, when California’s enhanced data privacy law, the California Privacy Rights Act or CPRA, goes into effect.
As of January 1, a business is subject to California data privacy law if it does business in California and meets at least one of the following criteria:
(A) Global revenue greater than $25 million.
(B) Collects personal information from over 100,000 California residents.
(C) Derives at least 50% of revenue from selling or sharing consumers’ personal information.
If your business is within the scope of the law and has employees who are California residents, then here are a few of the new compliance obligations relating to employees:
(1) Businesses must provide their employees with a privacy notice that details the personal data that is collected, processed, and disclosed.
(2) Businesses must provide their employees an opportunity to opt-out of the sale of their personal data and limit the processing of their sensitive personal data if such data is processed for purposes outside of those detailed in the CPRA.
(3) Businesses must have data processing agreements in place with all of their service providers, contractors, and third-parties that process employee data (i.e., software vendors and employee benefits providers).
The penalties associated with non-compliance were recently showcased by the California attorney general, which brought an action against Sephora that recently settled for $1.2 million. It alleged Sephora “sold” consumer personal data by allowing third-party cookies on their website. These third-party cookies collected data to provide consumers with more relevant Sephora product recommendations, personalized shopping experiences, and ads. A business’s vendor relationships pose a similar compliance risk if vendors are not restricted in their use of employee personal data.
For more information, please contact us or your regular Parker Poe contact.