On Jan. 1, 2023, the California Privacy Rights Act of 2020 (CPRA) will take effect and impact how many businesses handle employment data – specifically for organizations handling the personal information of any California resident.
I don’t have a business or employees in California. How does this impact me?
There are three ways the CPRA may impact you:
1. Compliance: Beginning Jan. 1, 2023, you must provide California residents – including any job applicants, employees of, contracts of, owners of, directors of, officers of, and/or medical staff members of that business – with specific privacy disclosures.
2. Response: You must respond to CPRA privacy requests including right to access, delete or correct data.
3. Awareness: ADP® wants you to be familiar with the changes in California, as the CPRA may serve as a blueprint for other areas enacting privacy legislation. We also want you to be mindful should your business expand to California.
You will have to comply with the CPRA if you are a for-profit business and collect and control personal information related to California residents, including employees; and
1. As of January 1, of a calendar year, had worldwide annual gross revenues over $25 million in the preceding calendar year; or
2. Alone or in combination, annually buy, sell or share the personal information of 100,000 or more California residents, or households; or
3. Derive 50% or more of your annual revenues from selling or sharing California residents’ personal information.
While Colorado, Connecticut, Virginia and Utah also adopted consumer privacy laws that will go into effect in 2023, these laws do not cover employment data.
Who do the CPRA obligations fall on?
Obligations imposed by the CPRA on covered businesses fall on the employer, regardless of whether a service provider such as ADP is processing your employee data.
How do I find out how to provide the correct CPRA disclosures or responses?
It’s best if you consult your legal counsel for the right way to provide disclosures or responses.
Who is a resident?
If you are considered a covered business under the CPRA, the obligations outlined above effect on January 1, 2023. Note: California Revenue and Taxation Code defines a "resident" as either "every individual domiciled in this state who is outside the state for a temporary or transitory purpose" or "every individual who is in this state for other than a temporary or transitory purpose."
Watch this webinar
We recently hosted a webinar on CPRA, offering critical insights on things to keep in mind. Check out the recording to help you prepare.
ADP is here to help
We have implemented a U.S.-focused privacy program to accommodate the fast-growing need for a consistent approach to data privacy in the US. Our program creates a set of standards across our products and services processing U.S. data, aimed at assisting our clients with meeting their obligations under the law. We continue to track privacy legislation and will evolve and adjust our program as new laws are added to ensure that we are in the best position to assist you. Click here for additional information about privacy at ADP.
If you have any questions, please reach out to your ADP Service Representative.