It’s been no doubt a week of mixed emotions at the California Privacy Protection Agency (“CPPA”) which last week had its final CCPA regulations (“Regulations”) approved and filed with the California Secretary of State by the Office of Administrative Law. The final regulations have been stated to be “effective immediately”. The result is that California employers are now going to have a significant burden around compliance with California privacy law which they didn’t have previously.
Taken on its face, “effective immediately” would mean that enforcement of the regulations would be available (if not acted upon) immediately. However, as with much about the CCPA, this may not be definitive.
First, the California Administrative Procedure Act (“APA”) provides that regulations become effective on one of four quarterly dates based on when the final regulations are filed with the Secretary of State. Under the APA the enforcement date would still be July 1, because the regulation was filed between March 1 and May 31. See Cal. Gov. Code §11343.4(a)(3).
Second, Proposition 24 (the actual amendment to the CCPA) itself provides timing of enforcement of the new provisions of the CCPA. Specifically, Cal. Civ. Code §1798.185(d) states “Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023.”
To complicate matters further, on March 30, 2023, the day after the new regulations were announced as finalized by the CPPA, the California Chamber of Commerce filed suit against the Agency seeking declaratory and injunctive relief to delay enforcement. The lawsuit seeks the delay of enforcement until one year after the regulations were finalized. The original CPRA mandated Regulations be adopted by July 2022, with enforcement to begin July, 2023. The Chamber’s suit makes many claims, including that the new Regulations are incomplete and rushed upon business because of the CPPA’s own internal delays, and the elimination of the safe harbor for enforcement combined with the shortened period between regulation and enforcement causes undue hardship. Their argument concerning the enforcement data is essentially that because the CPPA missed the regulation adoption date by approximately eight months, the enforcement data should also be shifted forward the same period of time. Whether this lawsuit will succeed or not is difficult to ascertain at this time.
All of this is to say, while the press release of the CPPA may be technically correct, the practical application of the law to businesses still seems to have some breathing room. That said, despite the continuing lack of certainty around this legislation, it is important to continue to shore up any compliance efforts businesses have underway. This is particularly important in the HR/workplace context, where businesses have had broadened obligations to job applicants, employees, owners, directors, officers and contractors.
There are some immediate actions covered businesses will need to take in any eventuality:
- Figure out what HR-related data is subject to the CCPA and what isn’t.
- Review exemptions under Cal. Civ. Code §§1798.145 and 1798.146. For example, background reports on employees from consumer reporting agencies under the Fair Credit Reporting Act likely exempt.
- Review Federal laws that expressly preempt state law. For example, ERISA generally preempts state law and has certain record-keeping requirements that will affect how employers respond to request for deletion, for example.
- Review the new regulations for required notices and disclosures.
- Draft an HR-related data privacy policy for employees and applicants. This is a separate requirement from the earlier “privacy notice” that was required under Cal. Civ. Code §1798.100 as all the requirements of §1798.130 are also implicated. Additionally, the regulations have distinctive requirements around “privacy policies” (under 11 Cal. Code Reg. §7011) and “privacy notices” (under 11 Cal. Code Reg. §7012).
- “Sensitive Personal Information” now has to be specifically discussed in policies and notices. This can impact EEOC reporting data.
- Develop a “Service Provider Addendum” for all vendors that touch covered data.
-
- The regulations require “magic language” to keep a vendor a “service provider”. If a vendor isn’t classified as a either service provider or contractor, then they are a “third party” and businesses lose the “safe harbor” around joint liability if the vendor violates the CCPA or the regulations.
Clearly, there is much more for a full compliance program to be developed and deployed but working through the above considerations will keep most businesses on course for compliance (almost) no matter what.