Become a member
Compliance & regulations

Employee data & CPRA

In addition to traditional consumers, the CPRA requires data transparency and protection over the personal data of your employees.

Employee, Applicant, Vendor/Contractor Data: CPRA

Starting in January of 2023, the CPRA extends the rights given to consumers to employees and applicants personal data. Starting in 2023 the individually identifiable information of: applicants, employees, independent contractors, dependents, and other HR data of California residents will be covered under CPRA and the same rights and access will be granted to consumers, employees and potential applicants equally.

Starting in Jan. of 2023, CPRA requires that businesses must notify employees, applicants, vendors and contractors before or at the point of collection if personally identifiable information (PII) or sensitive personal information (SPI) is collected and used. The notice must include:

  • Categories of PII and SPI to be collected;
  • Business purposes and legal usage for which the PII and SPI is being collected;
  • Opt-out rights if the PII or SPI is sold or processed
  • How long the data is stored and kept

CPRA employee requirements include California residents in their roles as employees (Full and part time), job applicants, independent contractors and vendors. Employee rights mirror the consumer rights granted under CPRA:

  • The right to know
  • The right to correct
  • The right to delete
  • The right to opt-out (sales and processing of data)
  • The right to limit the use and disclosure of PII and SPI
  • The right not to be discriminated against for exercising these rights

In addition to providing full notice of rights, CPRA requires that covered entities offer a Data Subject Access Request system that employees, contractors, applicants and vendors can use to make and record bonafide data access requests. Employee data that businesses will need to use in the ordinary conduct of business and to provide benefits and payroll functions will have certain statutory exceptions that businesses can rely upon and data that is critical for the functioning of the business in providing necessary services and benefits can be exempt from requests made by data subjects.

As the first step in becoming compliant with CPRA for employees, companies will need to:

  1. Perform data mapping: List and map all the various PII and SPI that is collected on; employees (Full and part time), job applicants, independent contractors and vendors.
  2. Data Location on various sources: Need to verify and confirm all of the various data depositories and storage locations of the identified PII and SPI in order to fulfill requests.
  3. Have a functioning DSAR platform or system: Provide a DSAR system for employees (Full and part time), job applicants, independent contractors and vendors to make Data Subject access requests. The DSAR must be able to authenticate, record and track requests from employees (Full and part time), job applicants, independent contractors and vendors.
  4. Employee notices: Review all notifications given to employees (Full and part time), job applicants, independent contractors and vendors at point of collection regarding data rights, access and usage.
  5. Review Security and Storage Processes: Determine length of data storage, data minimization and security protocols to ensure that data is properly safeguarded and that only fields of data that are necessary be kept for the minimum duration specified.

Get your free compliance checklist