Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. Prepare now — California Privacy Rights Act effective January 1, 2023

      Alerts

    Alert / Cybersecurity & Privacy

    Prepare now — California Privacy Rights Act effective January 1, 2023

    Dec 1, 2022

    LinkedInX (Twitter)EmailCopy URL

    By Jenny Holmes and Jason Kravitz

    Employers must have data collection and privacy protocols in place by the new year.

    What’s the impact?

    • If CPRA regulations apply to your organization, you should prepare by reviewing your existing policies and implement needed changes now

    DOWNLOAD

    PDF: California Privacy Rights Act

    On January 1, 2023, the California Privacy Rights Act becomes effective, amending the California Consumer Privacy Act. Like the CCPA, the CPRA requires a privacy notice be given to employees and job applicants at the time of collection of their personal information. Importantly, however, the CPRA ends the moratorium on extending the CCPA’s consumer data privacy rights to employees. This means that employers need to have mechanisms in place to respond to data subject requests from employees, like the right to access or to correct personal information.

    Here are some other key parts of the CPRA:

    A compliance runway

    • While the CPRA comes into effect January 1, 2023, actual government enforcement of the CPRA’s provisions will not begin until July 1, 2023.

    Additional consumer substantive rights

    • The law imposes heightened protections for “sensitive personal information,” which includes social security, driver’s license, passport, and financial account numbers, and other highly private information. Consumers will have the right to limit businesses’ ability to collect, use, and share this information.
    • Consumers will have the right to request that businesses correct inaccurate information about the consumer.
    • Consumers can limit a business’s ability to collect and use geolocation data that has a level of precision within 1,850 feet.
    • Businesses must inform consumers of their data retention policies, and are not allowed to keep data longer than is “reasonably necessary.”
    • Consumers have the ability to prohibit businesses from sharing data with others for the purposes of cross-context behavioral advertising.

    Strengthened enforcement

    • The CPRA creates a “California Privacy Protection Agency” tasked with enforcement and promulgation of regulations.
    • The CCPA’s 30-day “cure” period is eliminated for government enforcement actions, replaced with a provision allowing the government the discretion to abstain from enforcement actions depending on the circumstances.
    • The penalties for mishandling children’s information are tripled from $2,500 per incident to $7,500, dramatically increasing the consequences of violating the statute.
    • The scope of potential data breach claims is increased by the CPRA’s clarification that leaks of email accounts combined with a password or security question information can support a cause of action for statutory damages.

    Audits and risk assessments

    • While the CPRA itself does not impose a requirement that a business conduct data privacy audits and risk assessments, it does task the attorney general with issuing regulations that create such a requirement for businesses whose processing “presents a significant risk to consumers’ privacy or security.”
     

    What hasn’t changed? As an amendment to the CCPA, the CPRA leaves many of the current statutory provisions untouched. Generally speaking, the overall statutory scheme requiring that consumers are accurately notified of their rights pursuant to a privacy policy; that data collection, sharing, and usage is generally limited to that which is disclosed to the consumer; differing obligations for “businesses” and “service providers” (although the CPRA imposes some additional contractual requirements); and the prompt response to consumer requests by businesses. These aspects largely remain consistent in ensuring CPRA compliance.

    What employers need to do to prepare

    • Assess the thresholds to see if the CPRA applies to your organization—the CPRA is triggered if your organization collects the personal information of any California consumers and in the past 12 months your organization:
      • has at least $25 million of annual gross revenue
      • buys, sells, shares, or receives personal data or the personal information of 100,000 or more California residents
      • receives over half of its revenue from the sale of personal data of California residents
    • Identify the personal information your organization collects about its employees
    • Develop an employee and job applicant privacy notice
    • Review contracts with service providers that receive and/or process employee personal information
    • Establish internal procedures to receive, analyze, and honor employee data requests

    Our Cybersecurity & Privacy team can help you prepare for the changes the CPRA will bring.

    Locations

    San FranciscoLos Angeles

    Practices

    Cybersecurity & PrivacyLabor, Employment & BenefitsCalifornia Labor & Employment

    Insights And Happenings

    • Alert

      California AG delivers DoorDash a broad interpretation of the CCPA

      March 6, 2024
    • Alert

      12 California cities increase minimum wage — Effective July 1, 2023

      June 21, 2023
    • Alert

      Ninth Circuit holds California’s attempted ban of mandatory arbitration preempted by the FAA

      Feb 22, 2023
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved