On November 3, 2020, Californians approved another significant piece of privacy rights legislation, the California Privacy Rights Act, or the CPRA.  The CPRA amends and expands the already (almost) infamous CCPA (California Consumer Privacy Act), which is the privacy law that went into effect in the Golden State last year.

New Rights under CPRA

The CPRA provides for, among other things, new and expanded rights for consumers.  The new rights under the CPRA include:

  • Right to Correct Information. A consumer may request that a business correct his or her personal information if it is inaccurate. Covered businesses must disclose this new right to consumers and use “commercially reasonable efforts” to correct personal information upon receiving a verifiable consumer request.
  • Right to Limit Sensitive Personal Information. The CPRA created a sub-category of personal information, labeled as “sensitive personal information”. The definition of sensitive personal information includes 20 different data points including for example, racial origin, religious beliefs, sexual orientation and geolocation. A consumer may limit the use and disclosure of sensitive information to that “which is necessary to perform the services or provide the goods reasonable expected by an average consumer who requests such goods and services,” subject to certain exemptions.  For example, a consumer may prohibit a business from disclosing sensitive personal information to third parties, in most cases.  A covered business is required to implement a process (like a clearly labeled link) to allow consumers to limit the use of sensitive personal information.
  • Right to Access Information About Automated Decision Making. Consumers may request information about the logic involved in automated decision-making and a description of the likely outcome of processes.
  • Right to Opt-Out of Automated Decision-Making Technology. Consumers are allowed to opt-out of the use of automated decision-making technology in connection with decisions about the consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Expanded and Modified Rights Under the CPRA

There are also several expanded and modified rights under the CPRA, including:

  • Expanded Right to Know. For personal information collected on or after January 1, 2022, the CPRA allows a consumer to make a request to know beyond the CCPA’s normal 12-month look-back period as long as doing so is not “impossible” or does not involve a “disproportionate” effort.  However, this expanded right does not require a business to keep personal information for any specific period of time.
  • Expanded Right to Opt Out. The CPRA expands the existing opt-out right to include both the sale and “sharing” of personal information, which is defined as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
  • Modified Right to Delete. Businesses that receive a consumer deletion request are required to notify third parties who bought or received the consumer’s personal information, subject to some exceptions. Service providers and contractors also must pass the deletion request downstream in certain circumstances.
  • Expanded Right to Data Portability.A consumer may request that a business transmit his or her personal information to another entity, to the extent it is technical feasible.
  • Strengthened Opt-In Rights for Minors.  Businesses must wait 12 months before asking a minor for consent to sell or share his or her personal information after the minor has declined to provide it.

Employee Privacy Rights under the CPRA

The CPRA specifically calls out the privacy interests of employees, noting the differences in the relationships between employer and employee versus business and consumer.  (CPRA, Sec. 8, Purpose and Intent).  Like the CCPA, the full scope of rights afforded to consumers under the CPRA is not extended to applicants, employees, and independent contractors, and the CPRA keeps it that way until January 1, 2023, unless the CPRA is further amended. However, employees, applicants, and independent contractors do have the following rights (and employers should be putting processes in place to address these if they do not already have per the CCPA): 1) the right to receive notice at collection; and 2) the right to sue if their sensitive personal information is breached as a result of their employer not having reasonable safeguard in place.


Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements. And in case you missed it, here are the first two installments of our CPRA series:


As we recently reported, the privacy-right activist group that sponsored the California Consumer Privacy Act (“CCPA”) – Californians for Consumer Privacy – is pushing for an even more stringent privacy bill, the California Privacy Rights Act (“CPRA”). The CRPA has now qualified for the November 3, 2020 ballot, gathering more than 600,000 valid signatures as required, according to the memorandum circulated by the California Secretary of State. If California voters approve the initiative in November, the CPRA would significantly expand the rights of Californians under the current California Consumer Privacy Act (“CCPA”) starting on January 1, 2023, with certain provisions going into effect immediately.

What are some of the key provision of the CPRA?

  • Establish the California Privacy Protection Agency (“CPPA”): – CPRA would establish the first agency of its kind in the United States. The Agency will be governed by a five-member board, including the Chair, and will have full administrative power, authority and jurisdiction to implement and enforce the CCPA, instead of the California Attorney General.
  • “Sensitive Personal Information” vs. “Personal Information”: – CPRA defines “sensitive personal information” stricter than personal information. The definition is broad, but it includes government-issued identifiers (i.e. SSN, Driver’s License, Passport), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e. mail, e-mail, text), genetic data, biometric information, and others.

The CPRA creates new obligations for companies and organizations processing sensitive personal information. It would also allow consumers to limit the use and disclosure of their sensitive personal information.

  • Additional Consumer Rights: – In addition to the rights under CCPA, consumers will have additional rights under the CPRA, including, a) right to correct personal information, b) right to know length of data retention, c) right to opt-out of advertisers using precise geolocation, and d) right to restrict usage of sensitive personal information.
  • Employee Data: Expanded Moratorium from until January 1, 2023: In general, most of the provisions of the CCPA does not cover employee data until at least January 1, 2021. CPRA will expand that moratorium until at least January 1, 2023.
  • Expanded Breach Liability: In addition to the CCPA’s private right of action for breaches of nonencrypted, nonredacted personal information, the CPRA would expand that to the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.

The CCPA has not even celebrated its anniversary nor started its enforcement (July 1, 2020), and companies doing business in California will soon have to grapple with the nuances brought by the CPRA. Jackson Lewis will continue to monitor any developments with the CPRA as it marches to the ballots come November 2020.



For years now, state laws have required subject organizations to provide notification to affected data subjects and, in some instances, to state agencies, consumer reporting agencies, and the media, when they experience a “breach” of certain categories of information.  And a growing number of states – including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most recently, New York – have gone a step further, requiring subject organizations to develop and implement “reasonable safeguards” to secure the personal information they collect and use.  With the passage of the California Consumer Privacy Act (“CCPA”), California is poised to establish the next frontier in U.S. privacy and data security law.

The CCPA, which is set to take effect on January 1, 2020, imposes on subject organizations not only the obligation to secure data, and to provide notification in the event of a breach, but also an obligation to develop programs to manage the sweeping suite of rights that the CCPA grants to consumers (a category which, as we’ve previously discussed, will likely include employees (at least in certain circumstances)).

The CCPA, which follows in the footsteps of the European Union’s GDPR, has already inspired the proposal of similar legislation in other states – such as Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island – as well as at the federal level.

Access & Portability

One significant right the CCPA grants consumers is the right to request information regarding:

  • the categories of personal information businesses collect about them:
    • identifiers – e.g. real name, address, social security number
    • characteristics of protected classification under California or Federal law;
    • Commercial information – e.g. products purchased, records of personal property
    • Biometric information
    • Internet or other electronic network activity – e.g. browsing history, search history
    • Geolocation data
    • Audio, visual, and similar information
    • Profession or employment related information;
  • the sources from which that personal information was collected (e.g., online order histories, online surveys, tracking pixels, cookies, web beacons);
  • the categories of personal information sold to third parties;
  • the categories of personal information disclosed for business purposes;
  • the categories of third parties to whom personal information was sold or disclosed (e.g., tailored advertising partners, affiliates, social media websites, service providers);
  • the business or commercial purposes for which personal information was collected or sold (e.g., fraud prevention, marketing, improving customer experience); and
  • the “specific pieces” of personal information collected.

The CCPA imposes a one-year lookback period from the time of the request, and mandates that, in the event consumers request access to their personal information, the subject business provide responsive materials “in a readily usable format that allows consumers to transmit [the] information from one entity to another without hindrance.”


Subject to certain exceptions (e.g., to complete to the transaction for which the personal information was collected; to protect against malicious, deceptive, fraudulent, or illegal activity; or to identify and repair errors that impair existing and intended functionality), the CCPA permits consumers to request that subject businesses delete – and direct service providers to delete – personal information collected about them.

Opt Out

Under the CCPA, consumers are empowered to opt out of the “sale” of their personal information.  To facilitate consumers’ exercise of this right, subject businesses are required to provide a link titled “Do Not Sell My Personal Information” to a web page where consumers can opt out of having their personal information sold to third parties. Similarly, Nevada recently enacted a new online privacy law requiring businesses to offer consumers the right to opt out of the “sale” of their personal information, effective October 1, 2019.


To protect consumers who exercise their rights under the CCPA, the law generally prohibits subject businesses from charging different prices or rates to consumers, providing different services to them, or denying them goods or services, because they exercised their CCPA rights.  That said, businesses are permitted to charge different prices or rates, or to provide different levels or qualities of goods or services, if those differences “reasonably relate” to the value provided to the consumer by the consumer’s data. Additionally, businesses may, under certain circumstances, offer financial incentives to consumers to entice them to permit the collection, retention, and/or sale of their information.

Privacy Policy

The CCPA requires subject businesses to disclose, and facilitate the exercise of, the above-discussed rights in their privacy policies.  Specifically, businesses should update their existing policies, or develop new polices, to include the following elements:

  • a description of the new rights afforded consumers under the CCPA;
  • a list of the categories of personal information collected by the business in the preceding 12 months;
  • a list of the categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
  • a link to a “Do Not Sell My Personal Information” web-based opt-out tool;
  • a description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a discount to consumers who provide their email addresses for marketing purposes, this incentive should be disclosed in the privacy policy); and
  • two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).

Private Right Of Action

In contrast to many U.S. privacy and data security laws, the CCPA provides consumers a private right of action – albeit a limited one.  Specifically, the law empowers consumers to sue on their own behalves when a subject business’s failure to maintain “reasonable safeguards” results in the breach of their personal information.  Notably, the definition of personal information applicable to the private right of action is narrower than the definition used throughout the rest of the CCPA. A consumer can bring a private right of action under the CCPA only if the the following information is breached: an individual’s name along with his or her social security, driver’s license, or California identification card number; account, credit card, or debit card number, in combination with a code or password that would permit access to a financial account; or medical or health insurance information. While this private right of action does not extend to the rights discussed above – which will be subject to agency enforcement – even this limited private right will, if the recent flood of claims brought under the Illinois Biometric Information Privacy Act is any indication, result in a significant volume of class action litigation.


With the January 1, 2020 deadline less than four months away, subject businesses need to promptly evaluate whether they are prepared to effectively navigate the expansive array of rights the CCPA extends to consumers.  To do so, businesses will need to, among other things: (a) map the personal information about California residents that they collect, use, and sell; (2) design and document policies, procedures, and practices to manage disclosure, access, and deletion requests, and to avoid discriminatory conduct; and (3) train their workforce members to effectively comply with those policies, procedures, and practices.

One final point of note:  The CCPA has been a work in progress over the last year. California’s legislative session ended on September 13th, with some final modifications to bills that would amend certain aspects of the CCPA. Unanimously approved in final form, they now move on to California Governor Gavin Newsom for consideration and final action on the CCPA by mid-October.  We will continue to track these developments.

The California Senate Appropriations Committee recently blocked a bill that would expand a private right of action under the California Consumer Privacy Act (CCPA). As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the CCPA. Then in April, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2.

If SB 561 became law, it would make a number of significant changes to the current law. In particular, SB 561 would significantly expand the scope of the private right of action presently written into the CCPA. The CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. SB 561 proposed to broaden this provision to grant consumers a private right of action if their rights under the CCPA are violated.

This week however, the Senate Appropriations Committee blocked the bill, which is likely to end its legislative process, at least for this year, as in order for a bill to advance in the legislature during 2019, it must pass at least one chamber by May 31.

The bill’s blockage is considered a win for businesses, as expansion of the private right of action would only increase what is already anticipated to be a flood of litigation once the CCPA takes effect.

As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA). This week, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2. This move came despite concerns raised about the scope of the amendment’s expanded private right of action. It is worth noting that a restricted private right of action is believed to have been fundamental to the compromise that led to the CCPA becoming law.

If SB 561 becomes law, it would make a number of significant changes to the current law. In particular, SB 561 would significantly expand the scope of the private right of action presently written into the CCPA. In its current form, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment proposed under SB 561 broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.

This could become very costly for businesses subject to CCPA. A plaintiff suing under CCPA can recover statutory damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. With the change under SB 561, violations of rights under the statute, such as rights to certain notifications or the right to have certain information deleted upon request potentially could trigger statutory damages,

A similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute.

According to reports, while Senator Jackson promised to work with stakeholders to address concerns about an expanded private right of action, the lawmaker apparently is intent on maintaining the ability for consumers whose CCPA privacy rights are violated to sue, without having to rely on the Attorney General’s office to enforce the CCPA.

The implementation of the European Union’s General Data Protection Regulation (GDPR), with an effective date of May 25, 2018, is just around the corner, and with it will come pressure on the human resources (HR) department to update its approach to handling employee data. The GDPR significantly enhances employee rights in respect to control over their personal data.

In particular, the GDPR introduces the concept of a “right of erasure” i.e. a ‘right to be forgotten’. Although the concept currently exists under EU law, it is currently applicable under very limited circumstances, when data processing may result in damage or distress. Under the GDPR, pursuant to Article 17 and Recital 65, an employee will have a right to have his/her data erased and no longer processed, where consent of processing is withdrawn, where the employee objects to such processing, or where processing is no longer necessary for the purpose for which it was gathered. That said, the employer, under certain circumstances, can refuse to comply with an employee’s request for erasure of personal data – where data processing is required by law or in connection with a legal proceeding.

Further, there is a time limit for responding to a request for erasure of data by an employee. An employer will be required to comply with a request by an employee ‘without undue delay’, and not later than one month of receipt of the request, together with the reasons for delay (Article 12).

To effectively meet the GDPR’s new requirements, employers will need to take stock of the employee data they process related to EU operations (see Does the GDPR Apply to Your U.S.-based Company?). What categories of EU employee data are processed? What categories of EU employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do EU employees have with respect to that information? The answers to these questions are not always self-evident. Employee data may cover current, former, or prospective EU employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts.

To better understand how an employee’s “right of erasure” will impact day-to-day HR operations, below are a few practical examples of instances where an employee will have the right, under the GDPR, to request that his/her data be erased and no longer processed.

Circumstances where an HR department may be compelled to erase employee data:

  • You collected the data during the employee’s hiring process, but, following the completion of that process, you can no longer demonstrate compelling grounds for continuing to process it.  Such data could include, inter alia: (i) past employment verifications, (ii) education and credential verifications, (iii) credit reporting and other financial history data, (iv) government identification numbers.
  • You collected data about an employee in order to administer benefits to him or her, but the employee has since de-enrolled from the benefits program.
  • You collected employee online monitoring data for work productivity purposes – but you collected data which the employee does not expect is reasonable processing (personal emails, personal messenger conversations, etc.).
  • You collected employee data (g., profiling data) for use in evaluating whether to promote an employee to Position X, but end up promoting another employee to that position instead.
  • You processed data related to employee job performance issues (g., late arrivals, absences, disputes with a coworker, etc.) a number of years ago, and the employee has not had similar issues since.
  • You collected identifying data on an employee such as an employee’s past address, phone number, email address, username, financial account information, etc., but the employee has since provided updated information.

Employers must be ready to comply with the new EU data regime upon its effective date next month. If your organization has not yet started, it should begin implementing policies and procedures that inform employees of their enhanced rights to control over their personal data, ensure that operationally the organization can comply with such rights, and train HR personnel handling employee requests for erasure of data. This includes developing a plan of how to respond timely and effective to employees’ requests, and a review process for when there is a legal basis to deny a request.

A terminated executive who accessed co-worker emails in the process of reporting possible company wrongdoing lost his appeal on several grounds. In Brown Jordan Intl, Inc. v. Carmicle, the Eleventh Circuit found that the employee violated both the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA).

Carmicle reported to the company concerns about the preparation of a second set of financial projections to the detriment of shareholder value. Carmicle acknowledged that he obtained much of the information by secretly accessing co-worker emails. He did so by using a universal password issued as part of an email conversion after employees failed to create their own personal password. Carmicle subsequently was terminated after an investigator found his allegations of impropriety were without merit (among other reasons).

The appellate court upheld the ruling that Carmicle violated the CFAA despite his argument that Brown Jordan suffered no “loss” as required by the law. Carmicle argued that there was no damage because the company did not experience an “interruption of service” and there was no damage to the computers.   However, the company maintained it suffered a loss by, among other things, engaging an outside consultant to assess how Carmicle accessed the emails. Based on this expense, the appellate court found the company sustained a “loss” under CFAA. The court held that “loss” can include the reasonable costs incurred in connection with responding to a violation, assessing the damage done, and restoring the affected data to the condition prior to the violation.

Finally, the court rejected Carmicle’s argument that his access was authorized under the SCA based on a company policy stating that employees have no expectation of privacy and that the company has the right to monitor email communication. The Eleventh Circuit found that it would be “unreasonable” to permit someone to exploit a generic password to access emails without prior authorization and without any suspicion of wrongdoing.

Notwithstanding the outcome in this case, companies are reminded to take steps to ensure privacy protocols are in place and up-to-date. In this day and age, it is reasonable to assume that someone – whether from outside the company or within – may seek access to your network.

Earlier this month, the Office for Civil Rights (OCR) issued guidance on an individual’s right to access the individual’s health information. That an individual has a broad right to access has been recognized in the HIPAA privacy regulations since they became effective in 2003. OCR has found, however, that individuals are facing obstacles to accessing their health information, and believes this needs to change. To help covered providers, plans and business associates better understand the right to access, the agency issued a comprehensive set of frequently asked questions (FAQ). These FAQs address a number of access issues, but they also provide practical insight on some key points, one of which is summarized below.

In general, the FAQs address the scope of information covered by HIPAA’s access right, the very limited exceptions to this right, the form and format in which information is provided to individuals, the requirement to provide timely access to individuals, and the intersection of HIPAA’s right of access with the requirements for patient access under the HITECH Act’s Electronic Health Record (EHR) Incentive Program. In some cases, the guidance in the FAQs goes beyond just accessing health information. Consider the following FAQ:

What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit?

If a covered entity discovers that the PHI was breached in transit to the designated third party, and the PHI was “unsecured PHI” as defined at 45 CFR 164.402, the covered entity generally is obligated to notify the individual and HHS of the breach and otherwise comply with the HIPAA Breach Notification Rule at 45 CFR 164, Subpart D. However, if the individual requested that the covered entity transmit the PHI in an unsecure manner (e.g., unencrypted), and, after being warned of the security risks to the PHI associated with the unsecure transmission, maintained her preference to have the PHI sent in that manner, the covered entity is not responsible for a disclosure of PHI while in transmission to the designated third party, including any breach notification obligations that would otherwise be required.  Further, a covered entity is not liable for what happens to the PHI once the designated third party receives the information as directed by the individual in the access request.

A couple of interesting points are made and clarified with this FAQ. One is that if an individual is warned about the risks of unsecured transmissions of PHI, but decides to proceed with the communication despite the warning, the covered entity is not responsible if there is a breach of the information while it is in transit. That is, no breach of unsecured PHI (but the covered entity still would have to consider state law). Second, after the covered entity fulfills the request of the individual and provides the PHI to a third party, the covered entity is no longer responsible.

So, as covered entities and business associates read though the new access guidance, they should be on the lookout for points like this which can reduce costs and better manage risk.

Earlier this month, legislators in Montana gave final approval to H.B. 342 which would limit an employer’s ability to access the personal social media accounts of applicants and employees.  The bill now goes to Governor Steve Bullock’s (D) office for consideration.

If signed, Montana would join become the most recent state to join the list of 19 states which limit an employer’s access to personal social media accounts.  A similar bill was signed earlier this year in Virginia.  Like many of the other laws which have been passed on this issue, the Montana bill would prohibit:

  • An employer from requiring prospective or current employees from sharing their login credentials;
  • Requiring an individual to access the account in a supervisor’s presence;
  • Requiring any communications which the individual made through their personal account to be turned over; and
  • Companies from retaliating against applicants of employees for their refusal to disclose their personal social media information.
Notably, and unlike many of the laws already in place in other states, the proposed Montana law would permit employers to request login credentials when the employer has specific information about  the employee’s activity that indicates work-related employee misconduct, criminal defamation or the unauthorized transfer by the employee of the employer’s proprietary or confidential information, trade secrets, financial data.  Similarly, employees are required to provide login credentials if the required to ensure the employer is complying with federal laws, federal regulations or the rules of a self-regulatory organization or if an investigation is underway and the information from the employee is necessary to make a factual determination in the investigation.
As previously mentioned, it is anticipated that similar legislation will continue to be introduced throughout 2015 and into the future.

Recently, Virginia Gov. Terry McAuliffe (D) signed a bill that limits employer access to the personal social media accounts of employees and job applicants.  The law, which takes effect on July 1, 2015 prohibits employers in Virginia from requiring, requesting, or causing a current or prospective employee to disclose the username and password to the individual’s social media account.  Additionally, the law also prohibits employers from requiring an employee to add another employee, a supervisor, or an administrator to the list or contacts associated with the individual’s social media account or changing the privacy settings.  We have prepared a detailed article discussing the new law.

In 2012, Maryland was the first state to prohibit employers from demanding social media passwords.  In a trend that is likely to continue, Virginia now becomes the 19th state to implement a workplace social media password privacy law.