A new California law which became effective in March 2024 has made California employers scramble to implement effective privacy protection policies for their employees. The new law, the California Privacy Rights Act (“CPRA”), imposes the requirements of existing privacy rights law to personal data that employers obtain from their employees, leaving many of them asking the same question: what exactly must we do?
In a nutshell, the CPRA now requires most employers to implement a privacy policy. Qualifying employers must analyze the data they collect both from third parties and employees and record how such data is stored, the purpose for such collection and storage, the security protocols in place, and how data subjects may enforce their rights under the CPRA.
To ensure compliance and foster trust, employers must pay close attention to their privacy policies, data storage practices, data collection processes, and incident response plans in the event of a data breach. When drafting privacy policies, businesses should adhere to the following best practices to stay ahead of the curve:
- Clarity and Accessibility: Privacy policies must be written clearly, easy to understand, and accessible to everyone. They should be available in multiple formats, ensuring accessibility for consumers with disabilities.
- Transparency: The policy should explicitly outline the types of personal information collected, disclosed, or sold, along with a clear explanation of the business purposes behind these actions.
- Availability: Policies should be easily accessible both online and offline, with a prominent link displayed on the company website for quick access.
- Consumer Rights: For businesses covered by the CCPA, privacy policies must include a comprehensive overview of consumer rights, along with clear instructions on how to exercise those rights, and provide contact information for further inquiries.
- Data Sale Disclosure: Businesses that sell personal information must explicitly state this in their policies and include a “Do Not Sell My Personal Information” link, where applicable, to give consumers control over their data.
- Regular Updates: Privacy policies should be regularly reviewed, updated, and maintained to reflect any changes in procedures, as well as to keep up with evolving regulatory requirements.
- Record Retention: Companies must keep a record of their privacy policy for at least four years, aligning with the statute of limitations for CCPA enforcement actions.
RPNA’s dedicated and experience Certified Information Privacy Professionals and privacy experts are uniquely qualified to assist employers with crafting narrowly tailored compliant privacy policies to meet this ever-changing regulatory landscape in the age of voluminous data.
Contact Us Today:
- Nadine Alsaadi: na@rpna-law-staging.fqgvyuixgm-xmz4qlgmp32o.p.temp-site.link
- Brad Barbagallo: wbb@rpna-law-staging.fqgvyuixgm-xmz4qlgmp32o.p.temp-site.link
- Phone:📞 818-992-9999
Nadine Alsaadi
Nadine Alsaadi is a Senior Attorney specializing in privacy law and is a member of the International Association of Privacy Professionals. She also focuses on business and commercial disputes and was selected as a 2025 Rising Star in Business Litigation by Super Lawyers.
Brad Barbagallo
Brad Barbagallo is a Senior Attorney with significant experience litigating and advising clients on employment, business, and privacy matters. Brad is also recognized as a Certified Information Privacy Professional for the United States (CIPP-US) by the International Association of Privacy Professionals.
