Californians recently voted to create the California Privacy Protection Agency and pass sweeping changes to the California Consumer Privacy Act of 2018 through the California Privacy Rights Act. The California Attorney General’s Office has been actively enforcing the CCPA since July 2020 and will continue to have enforcement powers alongside the California Privacy Protection Agency under the amended CCPA. Meanwhile, the California Privacy Protection Agency will update the existing CCPA regulations and adopt new ones.

Employers will have to disclose that they have been “selling” personal information of California employees under the California Consumer Privacy Act (CCPA), unless they update commercial contracts with service providers and other business partners effective 1 January 2022. Also, employers should tighten their data retention and deletion protocols, because CCPA requires data minimization and California employees are gaining broad data access, portability, and correction and deletion rights. Deployments of Artificial Intelligence, employee monitoring software, and automated decision-making are coming under increased scrutiny, too, pursuant to CCPA. Employers face these new requirements in addition to an existing obligation under CCPA to issue privacy notices to employees, which has applied since 1 January 2020 and required an update when the California Privacy Rights Act of 2020 (CPRA) took effect on 16 December 2020.

The California Privacy Rights Act of 2020 (CPRA) introduces sweeping changes to the California Consumer Privacy Act of 2018 (CCPA), most of which will become operative as of 1 January 2023 with a “look back” to 1 January 2022.

Every day companies around the world grapple with how best to protect critical business data. However, retaining personal information about an individual or employee for longer than necessary makes it more likely that the information will be subject to unauthorized or accidental access, use or disclosure. It could also violate the terms of the individual’s consent and reasonable expectations of privacy.

Baker McKenzie Partner Theo Ling and Associate Jonathan Tam recently outlined an approach on how to develop a privacy-enriched data retention policy, published in The Canadian Privacy Law Review. The piece discusses the steps organizations can take to determine and document how long to retain personal information collected across its operations.

The Government of Canada has amended the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which generally governs the collection, use, and disclosure of personal information by private sector organizations in all Canadian provinces except for Alberta, British Columbia and Québec. Some of the amendments came into force immediately as…