The CPRA expands and amends protections granted under the California Consumer Privacy Act (CCPA), which went into effect in January 2020. A majority the CPRA’s changes will take effect in January 2023 and apply only to personal information collected after January 1, 2022. Key highlights of the CPRA are summarized below.
Effective immediately, the CPRA extends the CCPA’s existing exemptions for information relating to employees, independent contractors and job applicants, as well as information collected from consumers in a “business to business” context. These exemptions were set to expire on January 1, 2021 and will now continue until January 1, 2023.
The CPRA establishes a new category of “sensitive personal information,” defined as:
1) personal information that reveals:
2) the processing of:
Starting January 1, 2023, businesses that collect “sensitive personal information” must disclose the categories of sensitive personal information collected, the purposes for which the information is collected or used, whether such information is sold or shared, and the retention period for each category.
The CPRA adds a new definition of “consent” that more closely aligns with the definition imposed the European Union’s General Data Protection Regulation (GDPR) by defining consent as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.”
Starting January 1, 2023, businesses will no longer be able to use general or broad terms of use/service or continued use of a product to constitute implied consent under the CPRA.
The CPRA creates the California Privacy Protection Agency (CPPA) and charges the agency with the enforcement of the privacy protections under the CCPA and CPRA. The CCPA will also issue regulations, with final regulations due by July 1, 2022.
Once the CPRA is effective, the new law will also implement the following:
Businesses that have already invested in CCPA compliance will need to review their policies and procedures to ensure timely compliance with these new CPRA requirements.
Paylocity clients can add a CCPA Notice in their job descriptions in Paylocity’s recruiting and onboarding modules. Please reach out to your dedicated account manager if you need assistance adding these notices.
Thank you for choosing Paylocity as your Payroll Tax and HCM partner. This information is provided as a courtesy, may change and is not intended as legal or tax guidance. Employers with questions or concerns outside the scope of a Payroll Service Provider are encouraged to seek the advice of a qualified CPA, Tax Attorney or Advisor.