POLICY REVIEW 2024  | The California Privacy Rights Act 

If you employ workers or do business in California, here is a brief review of the recently updated California Privacy Act. 


What is it? 

The California Privacy Rights Act (CPRA) provides comprehensive regulation of the personal information (PI) of California residents. PI includes any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 


Who does it apply to? 

  • This applies to all California resident consumers, including job applicants and employees, and business-to-business transactions. 
  • Employees can sue their employers for data breaches. 
  • Companies that collect personal information from California resident consumers and have annual gross revenues over $25 million companywide are required to comply with the CPRA.  
  • Companies that annually buy, sell or share the personal information of 100,000 or more California resident consumers, have more than $25 million in annual gross revenue companywide, or derive 50 percent or more of annual revenues from selling or sharing consumers’ personal information are required to comply with the CPRA. 


Why it matters! 

  • The California attorney general is currently enforcing the CPRA and can levy administrative fines.  
  • Like other consumers, an employee can sue an employer for a data breach and, under certain circumstances, can bring a class action-type lawsuit. The court will consider efforts to comply with the CPRA in considering damages or other relief to award in such a lawsuit.  
CPRA compliance requirements  
  • Prepare a California-specific privacy policy. 
  • Provide CPRA training to employees who handle personal information. 
  • Make sure that consumers, including employees, are not discriminated against for exercising their rights under the CPRA. 
  • Implement reasonable security measures to protect PI from unauthorized access, exfiltration, and theft. 
  • Establish procedures to promptly and adequately respond to data breaches. 
  • Post and distribute CPRA notices to California resident consumers.  
    • “Consumer” is defined as “a natural person” residing in California, including job applicants, employees, the beneficiaries and emergency contacts of employees, independent contractors, owners and members of the board of directors.  
    • Businesses are required to provide a notice that includes a description of the categories of personal information [PI] collected, the business purpose for collecting it, how long the PI is retained, and the categories of third parties to whom the PI is shared and or sold. 
  • Establishing a Consumer Access Request procedure so that consumers, including employees, can exercise their rights under the CPRA. This involves verifying and responding to  
    • Requests to disclose, delete, and correct PI.  
    • Requests to limit the distribution of PI.  
    • The right to opt out of the sale or sharing of PI. 
  • Make sure that vendors and service providers that receive PI from the company comply with the CPRA.