The California Privacy Rights Act (CPRA) supplements the California Consumer Privacy Act (CCPA), extending privacy rights to employees and placing new compliance requirements on employers. Read on to discover how CPRA changes CCPA employee data requirements and its impact on HR data handling, and learn the best ways to remain compliant.
What is the CCPA?
The CCPA first came into effect in 2020 and is a comprehensive data privacy law that grants California residents rights over the handling of their personal information. These include the right to:
- Know what information is collected, used, shared, or sold by businesses
- Request the deletion of personal information held by businesses
- Opt out of the sale of their personal information
The law requires companies doing business in California to inform their customers about data practices and implement reasonable security measures to protect personal information. By providing legal protection for consumer data, California became one of the first states to introduce legislation similar to the EU’s General Data Protection Regulation (GDPR).
What is the purpose of the CPRA?
The purpose of the CPRA is to extend and enhance privacy rights, particularly in light of technological advancements and evolving privacy concerns. It amends and expands upon existing CCPA employer requirements without replacing them. The law gives California residents more control over their personal data and imposes new requirements on businesses.
HR data and employee information were exempted from the CCPA’s original compliance and protection requirements. With the CPRA, those exemptions have been allowed to expire and all the privacy rights and protections in the CCPA have now been extended to employees, job applicants, and contractors. This means that companies must meet these new compliance requirements and take appropriate steps to protect HR data.
The CPRA also introduces new concepts such as “sensitive personal information,” and authorizes the California Privacy Protection Agency (CPPA) to enforce these laws and ensure that companies maintain compliance.
Who and what do CCPA employee data requirements cover?
Understanding the scope of the CCPA is vital for HR departments to correctly determine their specific compliance obligations.
Any company doing business in California is considered to be a regulated entity under the CPRA, if it fulfills one of the following requirements:
- Reports an annual gross revenue of at least $25 million
- Buys, sells, or shares the personal information of at least 100,000 California residents
- Derives at least 50% of revenue from selling or sharing the personal information of California residents
If your business meets these criteria, a wide range of your employee data is subject to the CCPA. This includes personal information collected in the course of the employment relationship, such as contact details, resumes, employment history, performance evaluations, and benefits information. In addition, the CCPA also gives employees the right to control additional “sensitive personal information” such as Social Security numbers, financial information, and biometric data. In order to be fully compliant with CCPA, companies must take steps to protect this employee data in all its forms, including using techniques such as redaction and encryption.
Employee rights and employer obligations
Since January 1, 2023, the CPRA has granted California employees the same comprehensive privacy rights previously available only to consumers. Employees, job applicants, contractors, and board members who are California residents now have substantial control over their personal information in the workplace.
Six core employee rights under CCPA/CPRA
Right to know Employees have the right to know when employers are monitoring them and for what purpose. They can access information about what personal data is collected, why it's used, and with whom it's shared.
Right to delete Employees can request deletion of personal information collected from them, including employment records and performance evaluations that are no longer necessary for disclosed business purposes.
Right to correct Employees have the right to correct inaccurate personal information that could affect career advancement, compensation decisions, or other workplace outcomes.
Right to opt out of sale or sharing Employees can opt out of employers selling their data and can know if employers are profiling them or buying data about them, like social media activity.
Right to limit use of sensitive personal information Employees can direct businesses to only use sensitive personal information (Social Security numbers, union membership, health information, biometric data) for limited purposes.
Right to non-discrimination Employers cannot retaliate against employees who exercise their privacy rights through adverse employment actions, different compensation, or denial of services.
Employer obligations and response requirements
Notice requirements Employers must provide employees with a comprehensive privacy notice at or before the time personal information is collected. This notice must include categories of information collected, business purposes, retention periods, employee rights, and how to exercise those rights.
Response timeframes Businesses must confirm receipt of employee requests within 10 business days and respond substantively within 45 calendar days (extendable to 90 days). For opt-out requests, businesses must comply within 15 business days.
Data retention and vendor requirements Personal information must not be retained longer than reasonably necessary. Businesses must enter into Data Processing Agreements with vendors accessing employee data and conduct compliance audits.
Understanding these rights and obligations is essential for both employees and employers to ensure proper compliance with California's enhanced privacy protections in the workplace.
Why CCPA compliance is critical for HR departments?
If HR departments fail to comply with their CCPA obligations, they leave themselves and their businesses on the hook for hefty fines and costly legal action. It’s also important to note that the CCPA gives employees the right to seek damages for breaches of certain sensitive data. Even without running into legal action or fines, being accused of non-compliance can cause harm to your organization’s reputation. Employees, consumers, and business partners alike are likely to lose trust in companies that fail to adequately protect private information and comply with the law.
Implementing effective HR data protection measures, like redaction, is an essential tool to safeguard employee privacy, maintain compliance, and protect the integrity of your firm.
What are the key CPRA requirements for employee data?
The California Privacy Rights Act introduces several new requirements for managing employee data, including:
Expanded privacy notices
Employers must now provide employees with a comprehensive privacy notice that includes information on the categories of personal information collected, the purposes for collection, and the length of time the data will be retained. This privacy notice must also inform employees of their rights under the CPRA, including the right to access, delete, and correct their personal information.
Expanded employee rights
Employees now have the right to access and obtain a copy of their personal data, request deletion of their data (subject to certain exceptions), and correct inaccurate information. The CPRA also gives employees the right to limit the use and disclosure of their sensitive personal information and opt out of the sale or sharing of their data.
Data retention limitations
Personal information must not be retained for longer than is reasonably necessary for the disclosed purposes. Businesses are now required to inform employees of the length of time they intend to retain each category of personal information and the criteria used to determine the retention period.
One way to maintain compliance with these data retention limitations is to use automated redaction software to effectively remove all unnecessary sensitive data from documents as soon as they are received.
Differences between consumer and employee data under CCPA
Before January 1, 2023, employee data enjoyed significant exemptions under the CCPA that set it apart from consumer data protections. However, the expiration of these exemptions has fundamentally changed how employee information is treated under California privacy law.
Historical exemptions (pre-2023)
Until the end of 2022, covered employers were only obligated to notify employees of the categories of data being collected and the purposes for which the data would be used. Employee data was exempted from most of the CCPA's requirements, including the rights to access, delete, and correct personal information.
The CCPA contained a limited exemption for personal information collected by a business about an individual who is a job applicant or employee, owner, director, or independent contractor of the business. The employee exemption applied only when the information was collected and used "solely within the context of [the individual's] role or former role" as a job applicant, employee, owner, director, or independent contractor.
Current treatment (post-2023)
Starting in 2023, employee data is treated as any other commercial information, and covered employers must add employee and human resources data to their ongoing compliance efforts. California workers are now included in CCPA protections with the same comprehensive privacy rights previously available only to consumers.
Key differences that remain
Contextual considerations While employees now have the same rights as consumers, there are practical differences in how these rights apply in the workplace context. California has yet to provide clear guidance on how traditionally consumer-facing rights and obligations translate practically with regard to employee interactions.
Relationship dynamics Unlike traditional consumer relationships, employee data is collected within an ongoing employment relationship where power dynamics and practical considerations may affect how rights are exercised. The CCPA allows workers to designate authorized agents, such as unions and other worker organizations and advocates, to make requests for data access, correction, or deletion on their behalf.
Data types and purposes While the California Labor Code already provides workforce members the right to know about certain information an employer has collected, such as payroll records, signed documents, and personnel files, workforce members now have a right to additional information under the CPRA, such as geolocation, biometric information, internet activity, and inferences drawn.
Enforcement considerations Businesses should evaluate whether these rights should be limited to California residents. Doing so may raise employee relations issues as team members may express concerns about the collection and usage of their personal information on a perceived inequitable basis.
The elimination of employee exemptions means that HR departments must now implement the same comprehensive data privacy compliance programs that were previously required only for consumer data, including privacy policies, request handling procedures, and data retention protocols.
Top 5 strategies for CCPA employee data compliance in HR data management
There are several effective strategies you can use to overcome the new compliance burdens imposed by the CCPA employer requirements:
1. Conduct a data inventory and mapping exercise
Identify all categories of employee data collected, processed, and shared by your organization. Map the flow of this data throughout your organization and examine your processing strategies, retention periods, and third-party access to data.
2. Update privacy policies and notices
You likely already have a framework of privacy policies and notices that you employ for both internal and external communication. Revise this documentation to include the CPRA-required items such as the categories of personal information collected, the purposes of collection, and employee rights. Ensure that privacy notices are provided to your employees at the moment of data collection and are easily accessible at all times.
3. Implement data retention and deletion processes
It’s important to establish clear data retention policies and procedures that align with CPRA/CCPA employer requirements. Develop and implement processes for securely deleting or anonymizing employee data when it is no longer needed for the disclosed purposes. Using redaction software can help protect sensitive information while retaining only the data required for legal and compliance purposes.
4. Develop procedures for handling employee rights requests
As the CPRA grants employees the right to make requests in relation to their data, you must ensure you have an established process for receiving, verifying, and responding to such requests. You must also provide your HR staff with training on how to handle access, deletion, correction, and opt-out requests.
5. Review and update third-party contracts
Assess existing contracts with third-party vendors and service providers that manage employee data. Consider if you need to update contracts and data processing agreements to include CPRA/CCPA employer requirements and ensure vendor compliance. Require vendors to implement encryption and redaction measures to protect employee data.
Handling data breaches and employee notifications
Data breaches involving employee information now carry the same notification requirements and liability exposure as consumer data breaches under CCPA/CPRA. Understanding these obligations is critical for HR departments to respond appropriately and minimize legal and financial exposure.
Reasonable security procedures requirement
CCPA and CPRA require businesses to implement and maintain "reasonable security procedures" to protect any data they hold from being destroyed, modified, or falling into unauthorized hands. Organizations must proactively protect employee data and respond appropriately when security incidents occur.
Types of incidents requiring notification
Several types of events can trigger notification requirements under CCPA/CPRA:
Unauthorized access and data theft
- Ransomware attacks where malware steals digital information
- Data exfiltration when hackers access data and transfer it to external servers
- Physical theft of devices containing unencrypted employee data
Human error incidents
- Mistakenly exposing personal information by sending it to the wrong person
- Sharing sensitive data over insecure channels
- Incorrectly updating or mistakenly deleting employee data
Physical security breaches
- Lost, stolen, or damaged physical data records (if they are the sole copy)
- Compromised access to secure facilities containing employee information
Notification requirements and timeline
Who must be notified
- Any California resident employee affected by the data breach
- The California Attorney General if a single event impacts more than 500 California residents
- Major statewide media for certain types of breaches
Timeline for notification Notifications must be made "without unreasonable delay" once the breach is discovered. The disclosure must be made in the most expedient time possible, consistent with legitimate law enforcement needs and measures necessary to determine the scope of the breach and restore system integrity.
Exceptions to timing Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. The delay can be for up to 60 days if requested in writing, or 30 days if requested orally.
Required notification content
Breach notifications must be written in plain language, titled "Notice of Data Breach," and include:
Mandatory information
- Name and contact information of the reporting organization
- List of types of personal information that were or are reasonably believed to have been subject to the breach
- Date of the breach, estimated date, or date range (if determinable)
- Whether notification was delayed due to law enforcement investigation
- General description of the breach incident
Additional requirements for specific data types If the breach exposed Social Security numbers, driver's license information, or California identification card numbers, the notification must include:
- Telephone numbers and addresses of major credit reporting agencies
- Offer of appropriate identity theft prevention and mitigation services at no cost for at least 12 months
Employee litigation rights under CCPA
Employees can bring private legal action for statutory damages if their nonencrypted and nonredacted personal information was stolen in a data breach as a result of the business's failure to maintain reasonable security procedures. Employees may recover statutory damages between $100-$750 per incident or actual damages, whichever is greater.
Pre-litigation requirements Before filing a lawsuit, employees must provide 30 days' written notice identifying the specific CCPA violation. If the business can cure the violation within this period and provide written confirmation, the employee cannot proceed with litigation unless violations continue.
Incident response best practices
Immediate response steps
- Assess the scope and nature of the breach
- Contain the security incident to prevent further exposure
- Determine what personal information was affected
- Document the incident for regulatory reporting
Ongoing obligations
- Preserve evidence for potential investigations
- Coordinate with legal counsel on notification strategies
- Review and update security procedures to prevent future incidents
- Monitor for signs of identity theft or misuse of exposed information
Documentation requirements Maintain detailed records of breach response activities, including discovery timeline, affected data categories, notification activities, and remediation efforts taken to address security vulnerabilities.
Understanding these requirements helps HR departments respond effectively to data breaches while protecting both employee privacy and organizational interests under California's comprehensive privacy framework.
Redactable's AI-based redaction platform for CCPA compliance
HR departments can streamline CCPA compliance by using Redactable’s AI-based redaction platform to enhance their data protection efforts.
Among its many benefits, Redactable offers:
- An auto-redaction wizard that quickly identifies and permanently redacts sensitive employee information
- Time-stamped redaction certificates for efficient redaction activity monitoring and audit trails
- A user-friendly interface and step-by-step guidance that reduce the risk of human error
- A built-in OCR tool to enable the redaction of scanned physical documents, eliminating the need for manual redaction and saving valuable time and resources
Redactable prioritizes the security of personal and sensitive information, ensuring that employee data always remains protected throughout the redaction process.
Effective compliance IS intentional
The CPRA extends the protections granted to consumers under the CCPA to employees, contractors, and job applicants and introduces a number of new compliance obligations. It’s important to take proactive steps to align your employee data management practices with these additional CPRA requirements.
With Redactable’s AI-based redaction platform, you can instantly remove sensitive data and achieve effective compliance with the click of a button.
