California Labor &
Employment Law Blog
Are California Employers Prepared To Navigate California’s Evolving Privacy Law Landscape? 
Jul 21, 2021

Are California Employers Prepared To Navigate California’s Evolving Privacy Law Landscape? 


Colorado’s and Virginia’s emulation of California by recently enacting comprehensive privacy laws is an important reminder to California employers that the clock is ticking to comply with California’s new privacy regulations.  California employers should be aware that the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), which amended portions of the CCPA bringing it closer to the rules governing privacy rights in Europe, have significant implications about protection of employee data in addition to consumer data.  

Criteria for Covered Employers

The good news is that the CPRA amended the CCPA to reduce the number of employers who must comply and to extend the exemption period from CCPA compliance for employment and business-to-business data until January 1, 2023.  Starting in January 2023, the California’s privacy laws will apply to organizations that: 

  • Maintain annual gross revenues in excess of $25 million in the preceding calendar year;
  • Buy, sell, or share personal information of 100,000 or more California consumers or households (compared to the 50,000 or more under the CCPA); or 
  • Derive 50 percent or more of their annual revenue from selling or sharing California consumers’ personal information.

As employers, it is important to assess these measurements promptly to prepare for 2023.  

“Personal Information” Defined

Unfortunately for employers, the CPRA expanded the definition of employee “personal information,” to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular employee.  This includes a plethora of information such as name, contact information, protected classification (marital status, race, sexual orientation), financial or medical information, religious beliefs, union membership, internet or electronic network activity information, professional or employment-related information, education information, and more.  To make matters more complicated, the contents of an employees’ email, mail, and private messages are considered sensitive personal information as a new sub-category of “personal information,” unless the employer is the intended recipient of the communication.  

Notice and Data Mapping

Implementing and complying with privacy laws takes time, so employers need to begin this process now.  As a starter, employers must give employees notice about “personal information” that is collected, including the collection of COVID-19 vaccination information.  The mandatory data-mapping process, creating a map of how data is managed and stored in your organization, is involved and time-consuming.  Covered employers need to know where personal information comes from, where it is located, how data is stored, and take security measures to maintain the data safely.  Depending on your organization, this process may require outside consultants or a dedicated in-house team.   


The CPRA created the California Privacy Protection Agency (CPPA) with powers to make rules, investigate, and enforce the CPRA.  The CPRA eliminated the current 30-day cure period from the CCPA after notice from the California Attorney General of alleged violations and increased the maximum penalties.  While the CCPA created a private right of action after personal information that was not reasonably protected is disclosed or hacked that is currently the foundation for numerous class action lawsuits, the CPRA’s expansion of the definition of “personal information” to include sensitive personal information will only expand the likelihood that plaintiffs’ lawyers will commence unwelcome lawsuits alleging that personal information was not properly secured.

Mark Your Calendar

There is no doubt that complying with the CCPA/CPRA is a beast.  Therefore, California employers should watch out for several important deadlines:

  • January 1, 2022 – Obligation to respond to personal information requests commences. 
  • July 1, 2022 – Deadline for final CPRA regulations to be adopted by the CPPA.
  • January 1, 2023 – CPRA enters into full force.
  • July 1, 2023 – Enforcement of the CPRA begins under the CPPA.

Early Preparation is Wise

While this may appear to be overwhelming, California employers that start preparing now to understand how and to what extent the CCPA and CPRA affect their organization will have sufficient time to get into compliance without undue concern.  Consult with your favorite CDF privacy lawyer to save yourself headaches and eliminate or minimize future exposure.  

About CDF

For over 25 years, CDF has distinguished itself as one of the top employment, labor and immigration firms in California, representing employers in single-plaintiff and class action lawsuits and advising employers on related legal compliance and risk avoidance. We cover the state, with five locations from Sacramento to San Diego.

> visit primary site

About the Editor in Chief

Sacramento Office Managing Partner and Chair of CDF’s Traditional Labor Law Practice Group. Mark has been practicing labor and employment law in California for thirty years. His practice has a special emphasis on the representation of California employers in union-management relations and handling federal and state court litigation and administrative matters triggered by all types of employment-related disputes. He is also adept at providing creative and practical legal advice to help minimize the risks inherent in employing workers in California. He recently named “Sacramento Lawyer of the Year” in Employment Law-Management for 2021 by Best Lawyers®.
> Full Bio   > Email   Call 916.361.0991

CDF Labor Law LLP © 2024

Editorial Board About CDF What We Do Contact Us Attorney Advertising Disclaimer Privacy Policy Cookie Policy