California Privacy Rights Act (CPRA)
The CPRA is a new consumer privacy law that protects individuals' data privacy rights. It was adopted via referendum by the state of California, which is a fancy way of saying, it was voted into effect by the residents of California after being added to the ballot by a citizen-initiated measure. It will go into effect on Jan 1, 2023. The CPRA builds on previous legislation, the California Consumer Privacy Act (CCPA), which was passed in 2018 and expands employers' obligations when it comes to collecting, storing, using and sharing personal data belonging to their employees. This new law defines different types of "personal information" and lays out the rights employees have when it comes to collection and use as well as correction and deletion of their data.
Is Complying with CPRA Mandatory?
The CPRA applies to your organization if you have employees — or even one employee — in California and if your company made over $25 million in revenue globally in the previous calendar year. It's important to note that the CPRA does not apply to nonprofit organizations or government organizations.
If your organization is not in California, but you have one or more employees working remotely in California, the law would only apply to those employees.
What are the penalties for not complying with CCPA?
If you do not comply with the CPRA, your organization could be subject to fines of $2,000 per violation, $2,500 for negligent violations and $7,500 for willful violations. It is important to note that the attorney general has already taken enforcement actions against organizations that did not comply with the CCPA. The regulators have demonstrated their readiness to take disciplinary action against organizations that do not comply with the CPRA's requirements to protect consumer data.