CPRA and Employee Data: What You Need to Know

Employee personal information was regulated in California even before passing the California Privacy Rights Act(CPRA). This law was made to amend what was already held by the California Consumer Privacy Act (CCPA), so you cannot get a complete picture of your data privacy requirements in California unless you understand the requirements of both privacy laws at once.

For now, the California legislature has three data protection laws: the CCPA, CPRA, and CalOPPA. The first two regulate employee data privacy.

Suppose you wondered how the CCPA and CPRA regulate employee personal information in California. In that case, the short answer is: comply with the CPRA, and you’ll avoid violations and penalties.

CPRA and Employee Data

Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work.

Aside from data like name, email address, or phone number, it always includes sensitive personal information like social security numbers, financial data, health data, and, in some cases, biometric or geolocation data.

Aside from California residents’ data, data from individuals from other states and countries are also eligible for personal information as long as the business is based in California.

What Are the Employee Data Requirements under CPRA?

California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer.

CPRA Employee Privacy Notice

Employers, like website visitors, must provide a privacy notice to job applicants, contractors, or employees during data collection. The privacy notice must include the following:

• Categories of sensitive personal information collected, such as health data, social security numbers, financial data, etc.,
• Whether the data is shared or sold,
• The retention period of each category of personal information,
• How consumer rights requests are handled,
• Who collects the data (is it the human resources team, an outsourced recruiter, etc.),
• Purposes of collection, or,
• Purposes of sharing and selling employee personal information.

Honoring Consumer Rights Requests

Aside from employee rights, employees have the same CPRA rights that consumers have, which are:

• Right to access the personal information held by the employer
• Right to correction of the consumer’s personal information
• Right to deletion
• Right to opt out of the sale or sharing of personal data
• Right to data portability
• Right to limit the use of their sensitive personal information
• Right to no retaliation for exercising their privacy rights

Employees can exercise their rights just like any consumer. They can submit employee requests via designated methods. The rules for consumers apply to them as well.

Access requests, or requests to know about disclosing sensitive personal information, are easier to honor. But if you get a request to delete something, you should see if there are any exemptions to this rule.

Contracts with Service Providers

Businesses must sign written contracts with service providers to lay out the rules for data processing. This contract is very similar to the Data Processing Agreements required by the EU GDPR. If you use employee tracking software, any HR tool, job recruitment agencies, or software, they are all your service providers, and you need to sign a contract with them. The contract must include the following:

• The purposes and limitations of employee data processing,
• Prohibition of using, disclosing, or retaining personal data for purposes other than those specified in the contract, which shall include employment and recruitment,
• Stipulation requiring vendors to comply with the CPRA and to notify you if they do not comply with any of the provisions anymore or temporarily,
• Stipulation requiring service providers to allow you to take reasonable steps to ensure they are compliant, such as conducting audits,
• Provisions allowing you to take reasonable steps to stop and remedy any unauthorized access to your employees’ data,
• Provisions related to consumer requests to which the service provider must respond to help you comply,
• Prohibition of sale or sharing of the data and,
• Stipulation requiring to notify you if and when they use subprocessors.

Data Breaches and Data Security

Employers must ensure that employee data is well-secured and the risk of data breaches is minimized. There is often sensitive personal information in employee data, so the employer must do regular risk assessments and cybersecurity audits.

What Are the CPRA Exemptions for Employee Data?

For now, personal information processed in an employment context is exempt from the CPRA. It is explicitly exempt from its scope.

• In an employment context, personal information about job applicants, employees, independent contractors, directors, officers, medical staff, or business owners,
• the necessary information to administer benefits to these individuals, and,
• The emergency contacts of these persons.

Aside from that, CPRA does not cover personal information processed as part of a business-to-business due diligence check on a product or service.

However, that changes very soon, and you’ll need to comply with the above mentioned CPRA requirements.

CCPA Employee Data Requirements

CCPA employee data requirements are inferior compared to those provided by the CPRA. Some of the employee data is exempt. For some, the law’s applicability is limited, such as for submitting employee requests. Under the CCPA, employees could submit only a request to know.

The CPRA extends employee rights to the other CCPA rights and the new rights established by the CPRA.

CPRA and CCPA Combined: What Do They Require From Businesses?

As we explained above, CPRA is far more extensive regarding employee personal information.

As a result, compliance with the CPRA will almost certainly imply compliance with the CCPA. However, check through all the CCPA requirements before concluding your compliance.

In addition, you have to consider your duties arising from California employment laws.

Aside from reading through the CPRA employee personal information requirements listed above, check out our extensive article on CPRA requirements in general.

How to Comply with CPRA Employee Data Requirements

Your CPRA compliance efforts should start by learning what you need to do first.

A gap analysis will help you realize where you stand now and where you need to go. You should begin by creating a data inventory for your company. A data mapping exercise would help you understand how data flows within your organization. That’s where you’re at right now.

From there, you can continue with the following:

• Ensuring that you process only the minimum necessary personal information
• Creating employee privacy notices
• Updating your contracts with service providers, if necessary
• Ensure that your data is secure by conducting regular risk assessments and cybersecurity audits
• Implement systems and procedures for honoring employee requests.

This is just the minimum. There are more CPRA requirements to stay out of trouble with the California Privacy Protection Agency (CPPA).

By taking these steps, businesses will be able to comply with the CPRA's employee data requirements and help protect the privacy of their employees.