Employee Privacy Rights Under CPRA

Employee Privacy Rights Under CPRA

Home /  Insights / Articles / Article Details

New California Employer Requirements as of January 1, 2023

As of January 1, 2023, the California Privacy Rights Act of 2020 (CPRA) requires employers to take extra steps to protect and secure the personal information of their employees. These provisions significantly expand an employer's privacy and information security obligations if they do business in California.

Who is Subject to CPRA?

Companies will be subject to the provisions related to employment data under the CPRA if they meet the jurisdictional scope of the law and have any employees or contractors in California, even if their business is not headquartered in the state.

A business falls within the scope of the CPRA if it meets at least one of the following thresholds:

  • Had annual gross revenue above $25 million in the previous calendar year; or
  • Annually collects, stores, analyzes, discloses, or otherwise uses ("processes") the personal information of 100,000 or more California residents or households; or
  • Derives at least 50 percent of its annual revenue from selling (disclosing to a third party for monetary or other valuable consideration) or sharing (disclosing to a third party for targeted advertising) the personal information of California residents.

Because at least one of these criteria must apply—but not all—smaller businesses may be within the scope of the CPRA if they have any California employees.

What Is "Personal Information" Under the CPRA?

The CPRA defines "personal information" as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

This includes not only name and email address but also any data points connected to someone, such as an IP address, metadata and usage data, photos, audio and video recordings, professional and employment information, and inferences about them. The contents of job applications, employee personnel records, employee tracking, and employee communications are "personal information" under the CPRA.

What Are Employers' CPRA Obligations?

There are three main categories of compliance for employers: notice, employee rights, and data governance. In addition, companies subject to the CPRA must comply with roughly the same obligations they already have for their consumers' data under the California Consumer Privacy Act (CCPA).

Notice

Employers must prepare and provide a privacy notice to an employee and job applicant at or before the time personal information is collected. This notice must include the categories of sensitive personal information, whether that sensitive personal information is sold or shared, and the length of time the employer intends to retain each category of sensitive personal information. In addition, if an employer allows a third party to collect personal information on its behalf, the CPRA requires that the third-party collector provides notice at collection.

Employee Rights

Employees, job applicants, and contractors have several rights concerning collecting and using their personal information, subject to exceptions. They can:

  • Access the specific pieces of personal information an employer holds about them (including any profiles or inferences) that were generated on or after January 1, 2022.
  • Correct inaccurate personal information.
  • Delete personal information collected from them (subject to certain exceptions, including to comply with a legal obligation).
  • Restrict the use of their sensitive personal information for specific business purposes or limited disclosures.
  • Opt-Out of the sale of personal information to third parties.

When an employee, contractor, or job applicant requests to exercise one of these rights, the employer will be required to honor the request within 45 days. Employers must evaluate employee requests and determine their obligations under the CPRA, as employers have specific criteria to deny employee requests.

Data Governance

Businesses that have vendors with access to their personal information must enter into a Data Processing Agreement (DPA). This requirement applies regardless of the types of personal information the vendor processes. Businesses must also conduct audits on their vendors to ensure they can process personal information in compliance with the CPRA. Companies that have built their data collection, use, and storage systems for compliance with CCPA may find that they can use their existing systems to prepare for CPRA and its application to employment-related personal information.

Employee training

As processes for rights requests are developed, the employees responsible for responding to requests must undergo training about the CPRA and the rights procedures. For most companies, this will likely be human resources representatives in collaboration with technology specialists.

Penalties

The California Attorney General and the California Privacy Protection Agency (CPPA) will enforce the CPRA. Enforcement will begin July 1, 2023, which gives businesses a 6-month grace period to meet the compliance standards. After that, companies alleged to have violated the CPRA will have a 30-day "cure" period to fix violations and thus avoid civil penalties. After that, uncured violations may result in civil penalties of up to $7,500 per violation.


To prepare for the CPRA, employers should assess personal information locations, including employee personal information, and create a data inventory. They should also determine service providers, prepare the required notices, review contracts they maintain with any vendor, and amend agreements as necessary to meet CPRA requirements. Finally, employers subject to the CPRA should work closely with their privacy professionals to ensure compliance.

The information contained herein is not intended to be legal, accounting, or other professional advice, nor are these comments directed to specific situations. The information contained herein is provided as general guidance and may be affected by changes in law or regulation. The information contained herein is not intended to replace or substitute for accounting or other professional advice. Attorneys or tax advisors must be consulted for assistance in specific situations. This information is provided as-is, with no warranties of any kind. CBIZ shall not be liable for any damages whatsoever in connection with its use and assumes no obligation to inform the reader of any changes in laws or other factors that could affect the information contained herein.

Employee Privacy Rights Under CPRAhttps://www.cbiz.com/Portals/0/Images/CBIZ_HCM_article_2023_cpra.png?ver=A6Ia5Tb94j6RIideCAnX9A%3d%3dhttps://www.cbiz.com/Portals/0/Images/CBIZ_HCM_CPRA.png?ver=mgY8MLak4S4U58GBk_vFyA%3d%3dLearn about the California Privacy Rights Act of 2020 and what it means for your business.2022-12-20T17:00:00-05:00On January 1, 2023 California employers must comply with CPRA employee privacy provisions. Employee ManagementPayroll ServicesYes