California Expands Privacy Law

November 12, 2020

California voters passed Proposition 24, which makes significant changes and adds new provisions to the CCPA.


  • California voters passed Proposition 24, the California Privacy Rights and Enforcement Act of 2020 (CPRA) which makes significant changes and adds new provisions to the CCPA.
  • The law goes into effect on January 1, 2023, with some provisions requiring a 12-month lookback period that would start January 1, 2022.
  • The CPRA extends the CCPA’s exemption of employee data until January 1, 2023.
  • The CPRA also extends the CCPA’s business to business exemption until January 1, 2023.


The CPRA expands and amends protections granted under the California Consumer Privacy Act (CCPA), which went into effect in January 2020. A majority the CPRA’s changes will take effect in January 2023 and apply only to personal information collected after January 1, 2022. Key highlights of the CPRA are summarized below.

Extended Exemptions for Employee and Business to Business Data

Effective immediately, the CPRA extends the CCPA’s existing exemptions for information relating to employees, independent contractors and job applicants, as well as information collected from consumers in a “business to business” context. These exemptions were set to expire on January 1, 2021 and will now continue until January 1, 2023.

Sensitive Personal Data

The CPRA establishes a new category of “sensitive personal information,” defined as:

1) personal information that reveals:

  • a consumer’s social security, driver’s license, state identification card, or passport number;
  • a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • a consumer’s precise geolocation;
  • a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; and
  • a consumer’s genetic data; and

2) the processing of:

  • biometric information for the purpose of uniquely identifying a consumer;
  • personal information collected and analyzed concerning a consumer’s health; or
  • personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

Starting January 1, 2023, businesses that collect “sensitive personal information” must disclose the categories of sensitive personal information collected, the purposes for which the information is collected or used, whether such information is sold or shared, and the retention period for each category.

Definition of Consent

The CPRA adds a new definition of “consent” that more closely aligns with the definition imposed the European Union’s General Data Protection Regulation (GDPR) by defining consent as “any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.”

Starting January 1, 2023, businesses will no longer be able to use general or broad terms of use/service or continued use of a product to constitute implied consent under the CPRA.  

Regulatory Enforcement

The CPRA creates the California Privacy Protection Agency (CPPA) and charges the agency with the enforcement of the privacy protections under the CCPA and CPRA. The CCPA will also issue regulations, with final regulations due by July 1, 2022.

Additional Provisions

Once the CPRA is effective, the new law will also implement the following:

  • New limits on automated profiling to analyze or predict aspects concerning a person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
  • New requirements for annual audits and regular risk assessments for high-risk businesses;
  • A new right for consumers to request correction of inaccurate personal information;
  • New penalties and increased fines for mishandling children’s data;
  • New restrictions on the length of time a business can retain personal information; and
  • New definitions, requirements, and obligations for service providers, contractors, and third parties.

Next Steps

Businesses that have already invested in CCPA compliance will need to review their policies and procedures to ensure timely compliance with these new CPRA requirements.

Paylocity clients can add a CCPA Notice in their job descriptions in Paylocity’s recruiting and onboarding modules. Please reach out to your dedicated account manager if you need assistance adding these notices.

Thank you for choosing Paylocity as your Payroll Tax and HCM partner. This information is provided as a courtesy, may change and is not intended as legal or tax guidance. Employers with questions or concerns outside the scope of a Payroll Service Provider are encouraged to seek the advice of a qualified CPA, Tax Attorney or Advisor.