California’s new workplace privacy law is not entirely new; however, certain privacy provisions within the law took effect on January 1, 2023. In 2020, California voters approved Proposition 24, known as the California Privacy Rights Act (CPRA), which introduced additional privacy protections to an existing law.
The CPRA is designed to protect the privacy rights of individuals and hold businesses accountable for safeguarding personal information. While the CPRA is intricate, there are primarily three main obligations employers must focus on:
Comply with New Employee Rights
Employees now have the right to request disclosure of personal information collected about them, request the correction or deletion of this information, and direct the employer not to sell or share their personal data. Additionally, employees can limit the use of sensitive personal information and access details about what personal information is shared or sold and to whom.
Include CPRA Provisions in Vendor Contracts
Employers must incorporate specific CPRA provisions into contracts with vendors who handle private employee data.
Which Employers Must Comply with the CPRA?
Employers who satisfy at least one of the following criteria must comply with the CPRA:
- Annual gross revenues exceeding $25 million.
- Deriving at least half of annual revenues from selling consumers’ personal information.
- Handling, buying, sharing, or selling personal information belonging to at least 100,000 California residents annually.
This law has limited exceptions, and even some smaller businesses might fall under the CPRA’s purview especially if they collect information about website users.
What Happens if My Employer Violates My Rights Under the CPRA?
Penalties for noncompliance could cost an employer up to $2,500 per violation ($7,500 for intentional violations or ones that involve children), and each impacted consumer or employee could potentially count as a separate violation.
Additionally, the CPRA allows consumers, including employees, to bring individual lawsuits against businesses for certain unauthorized access or disclosure of non-encrypted and non-redacted personal information. If your privacy rights are violated, you may have the right to seek damages through legal action.
Class Action Lawsuits
The CPRA also allows for class action lawsuits for certain data breaches and unauthorized access or disclosure incidents. If a group of individuals is affected by a violation, they may collectively file a lawsuit against the business, potentially resulting in substantial damages.
Corrective Action Orders
The California Privacy Protection Agency (CalPPA) also has the authority to issue corrective action orders to bring businesses into compliance with the CPRA. If your employer is found to be in violation, CalPPA may require them to take specific actions to rectify the situation.
If you believe your employer has violated the CPRA, consult a trusted Los Angeles employment law lawyer to understand your rights and explore potential courses of action.