California Privacy Rights Act: Employment Data Obligations

CPRA Employment Data Provisions

The California Privacy Rights Act (CPRA), which amended and expanded the California Consumer Privacy Act (CCPA), extended full consumer privacy rights to employee personal information effective January 1, 2023. Previously, employee data was largely exempt from CCPA requirements. Under the CPRA, California employees, job applicants, and independent contractors now have the same privacy rights as consumers.

The CPRA applies to for-profit businesses that do business in California and meet certain thresholds, including annual gross revenue exceeding $25 million, or buying, selling, or sharing the personal information of 100,000 or more consumers, households, or devices, or deriving 50 percent or more of annual revenue from selling or sharing personal information.

Employee Privacy Rights Under CPRA

Employees now have the right to know what personal information their employer collects and how it is used, the right to delete personal information in certain circumstances, the right to correct inaccurate personal information, the right to opt out of the sale or sharing of their personal information, and the right to limit the use of sensitive personal information.

Employers collect extensive personal information about employees, including Social Security numbers, financial information, health and benefits data, biometric information, performance evaluations, and background check results. All of this data is subject to CPRA requirements.

Employer Obligations

Employers must provide employees with a notice at collection that identifies the categories of personal information collected and the purposes for collection. This notice must be provided at or before the point of collection. Employers must also maintain an updated privacy policy that describes their data handling practices.

When employees exercise their rights, employers must respond within 45 days, with an option to extend by an additional 45 days with notice. Employers may not retaliate against employees for exercising their privacy rights. However, employers are not required to comply with requests that would interfere with legal obligations, such as maintaining records required by employment law.

Data Minimization and Security

The CPRA introduced data minimization principles requiring employers to limit the collection, use, and retention of employee personal information to what is reasonably necessary and proportionate to the purposes for which it was collected. Employers must also implement reasonable security measures to protect employee data from unauthorized access, destruction, or disclosure.

The California Privacy Protection Agency (CPPA) enforces the CPRA and has authority to impose administrative fines of up to $2,500 per violation and $7,500 per intentional violation. Private lawsuits are also possible for data breaches resulting from the employer's failure to implement reasonable security measures.

Compliance Steps for Employers

Employers should conduct a data mapping exercise to identify all employee personal information collected, used, and stored. They should update privacy notices and policies to include employment-specific disclosures, establish processes for receiving and responding to employee data rights requests, implement data retention schedules that comply with both employment recordkeeping laws and CPRA data minimization principles, and train HR and IT staff on CPRA obligations.