[More on California] CPRA 2020: How it Started & How it’s Going

CPRA 2020

We recently posted a State of the State insight on California’s CalAIM initiative – check it out here!

MediSked takes data privacy and protection very seriously. We have a dedicated team of professionals in Cybersecurity, Compliance, and Human Resources that strive for excellence in protecting the data of both our clients and our own personnel. As part of that effort, we are constantly following regulation changes to ensure that our platforms are compliant and safe.

How it Started

California passed the California Privacy Rights Act (CPRA) of 2020 with the intent to substantially expand the privacy and information security of Californians. This act dramatically expanded the obligations of employers doing business with California by introducing a new complex legal framework for them follow. This was passed by voters amending the previous California Consumer Privacy Act.

The CPRA applies to all for-profit entities doing business in California who collect personal information from California consumers and had gross annual revenue of $25 million the preceding year.

Identifying who this act applies and how provisions can be met is an ongoing process for many compliance and HR departments. In its initial roll-out, not all the provisions took effect. As you may imagine, the scale and ambitiousness of the act takes time to be properly adopted by companies.

How It’s Going

On January 1, 2023, the full scale of the CPRA will take effect, including an expansion into employee data. Under this act, an employee is also considered a “California Consumer.”

The CPRA establishes the following rights for employees regarding their sensitive personal data:

Right to Know and Access can be loosely defined as an employee knowing what personal data has been collected and having the ability to access that information. Access requests only apply to personal data dating back 12 months from that request.

Right to Correct personal data applies to objectively false personal information such as date of birth and addresses. It does not apply to subjective data like a performance review or evaluation. A company must also use a commercially reasonable effort to make the change.

Right to Delete allows employees to request that Personal Information (PI) collected from them be deleted. There are legal exemptions that may preclude a company from deleting that information. The CPRA, however, expands the deletion requests to service providers, contractors, and third parties to which the business have sold or shared that specific information.

Right to Opt-Out of Sale/Behavioral Ads is explained exactly as it is stated. For purpose of definition, a sale encompasses any sharing of data for value, monetary or otherwise. Most employers do not use personal data for ads or intend to sell the data.

Right to Restrict Use of Sensitive Data only applies to sensitive personal data that is used for the purpose of inferring characteristics about the employee.

Right Against Retaliation prevents employers from punishing those that choose to opt-out or exercise any of the proscribed rights in the CPRA.

Enforcement or privacy violations in California was traditionally done by the Office of the Attorney General for the state. The CPRA removes that power and creates the California Privacy Protection Agency to assume the role of enforcement. The CPRA also removes the 30-day cure period for data breaches, triples the penalties for violations if a minor under the age of 16 is involved, and expands the types of data breaches that are considered in scope. This legislation is expected, as attempts for comprise have failed.

Why do we care?

The best way to stay on top of all these provisions is to know what data is being collected and for what purposes. The pandemic brought about a rapid and sudden change to a more digitized world. Protecting the rights and privacy of data as well as using it appropriately is a top priority. This act pushes companies to maintain robust policies and ensure their technology solutions are efficient and strong.

Other states will weigh in with their ideas about data privacy and security over the coming years, which means this is likely only the first version. As the world gets more advanced, the protection of an individual’s data becomes ever more apparent.

Having the right solutions is the only way to grow.

MediSked is a leader in data security, hosting, deployments, and policy development. Our platforms offer high system availability and security and are designed to your specifications. MediSked’s clients routinely collaborate with our internal Compliance professionals on the latest regulatory requirements and guidance, to promote consistent compliance and industry expertise.

We utilize the most up-to-date practices for the industry to successfully deliver our cloud-based Software-as-a-Service (SaaS) solutions with world-class availability, security, and privacy.

Learn more about MediSked’s security expertise here!


Evan Christenson, Esq.

Evan Christenson, Esq., a Compliance Policy Analyst, joined MediSked in 2021, and is a licensed attorney with an educational background in Business Intelligence. Evan’s primary focus is industry research and maintaining regulatory compliance with state and federal laws such as HIPAA and HITECH, as well as analyzing, drafting, and implementing new policies to ensure MediSked’s continued compliance for the clients we serve.

Related Topics