Securiti PrivacyOps Named a Leader in The Forrester WaveTMDownload Now
Published on August 4, 2021 AUTHOR - Privacy Research Team
The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot. 56% of California voters favored the law as it amends and strengthens consumer data privacy rights granted by the CCPA in 2018.
Most notably, the CPRA grants new privacy protection rights to the employees of covered businesses. The exemption for employee data (originally provided by the CCPA) is scheduled to end on the same day as when the CPRA becomes effective i.e January 1st 2023. CPRA’s enforcement will begin six months later, on July 1, 2023.
Organizations will have additional obligations to treat employee and consumer personal information similarly when the CPRA goes into effect. It is expected that the California Privacy Protection Agency (CPPA), the exclusive regulator and enforcement body set up by the CPRA, shall enact regulations that will adapt the CPRA requirements and business obligations towards employee data.
The CPRA grants the following DSR rights to employees concerning their Personal Information:
Similar to the CCPA requirement for notice which is applicable to employers right now, (despite the general exemption on employee data), as per the CPRA, businesses must also notify employees before or at the point of collection of their personal information (PI) or sensitive personal information (SPI). The notice must include the following details:
Businesses must not collect additional PI/Sensitive PI or use the already collected PI/Sensitive PI of employees for any purpose that is incompatible with the earlier disclosed purpose unless they provide a new notice to the employee.
Businesses must only collect, retain and sell/share employees’ PI and sensitive PI that is necessary, minimum, and proportionate to the purpose it was being collected.
The CPRA mandates that businesses that process employees’ personal information in a manner that “presents a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.
This audit must be independent and thorough according to the law. To determine the applicability of the PI processing requirement, organizations need to consider the following factors:
Businesses must plan now and engage a reliable third-party cybersecurity partner to complete the obligatory annual audits.
The CPRA also requires organizations to conduct regular risk assessments to evaluate the privacy risks of processing activities. One of the factors that can be used to evaluate a processing activity is the use of employees’ sensitive PI data. All assessments must weigh the privacy risks of the processing activity against the benefits that are provided. This assessment then needs to be submitted to the CPPA.
Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This will allow the organization to conduct timely risk assessments and identify problem areas quickly.
Businesses must take reasonable and appropriate security practices to protect employees’ PI. Failure to undertake reasonable and appropriate security measures which result in a breach of the employees’ PI (or employee account and password details) may make the business liable to a private right of action. This action can range from $100 to $750 in statutory damages (or actual damages). However, the business has a period of 30 days after receiving the mandatory notice to remediate the issue.
Businesses must notify employees of any breach of unredacted/unencrypted PI (or employee account and password details). Businesses must also notify employees if they encrypted the PI, but the encryption key/security credential is compromised. The notification should be made as soon as reasonably possible. This does not include the time taken to understand the breach’s scope and regain reasonable integrity of the system.
Businesses must enter into contracts with the third-party, service provider, or contractor with whom it sells or shares employees PI with, to ensure:
Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.
Also, organizations do not have the 30-day period to remediate before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide the length of time to resolve the issue.
Learn more about the CPRA vs. CCPA here.
The CPRA will take effect starting January 1, 2023, and enforcement will begin six months later (July 1, 2023). To learn more about the CPRA, and its importance, read this article.
Securiti has a suite of AI-powered solutions that have been customized to help organizations comply with the specific regulations of the CPRA.
Request a demo today and start your CPRA compliance journey with Securiti.