Employee Rights Under the CPRA: Prepare Your Business for CPRA Compliance

Batja Huisman
Batja Huisman
Sep 18, 2022
min read
Employee Rights Under the CPRA: Prepare Your Business for CPRA Compliance

The state of California was the first to introduce state privacy laws in the US. The California Consumer Privacy Act (CCPA) led the way with several privacy rights regulating consumer data privacy protection, similar to the European GDPR.

However, amendments have been made with the approval of the California Privacy Right Act (CPRA), which will also cover instances of employee privacy. Under the act, which will go into effect on January 1, 2023, employees will now have certain rights in relation to the protection of their personal information. This creates a new set of privacy requirements that businesses should consider concerning employee data.

Definition of an employee

The CPRA identifies employees as California residents who take up different positions in a company, such as full-time employees, part-time employees, applicants, and contractors. Employers can decide which remote employees are subject to the CPRA.

Employee privacy rights under the CPRA

The California Privacy Rights Act (CPRA) provides California employees with several privacy rights as regards their personal data, including:

  • The right to access their personal information
  • The right to delete their data when necessary
  • The right to correct or rectify inaccurate user data
  • The right to opt-out of the sale or sharing of user data with third parties
  • The right to limit the use and disclosure of employees' data for secondary reasons
  • The right to request information on automated decision-making as regards their PI
  • The right to opt-out of automated decision-making, including individual profiling
  • The right to non-discrimination

Employers are obligated to honor these employees' DSRs.

The main difference between consumer and employee rights under CPRA

Californian consumers enjoy several rights that may not necessarily apply in the same way to employees. For instance, the act gives the right to limit the use and disclosure of Sensitive Personal Information (SPI). This applies to personal information gathered with the aim of inferring characteristics.

Most companies don’t use SPI with the intention of finding out anything about the people they employ. Instead, typical uses for SPI include fulfilling responsibilities like payroll processing.

To whom and how it applies

The California Privacy Rights Act (CPRA) applies to for-profit companies operating in California and collecting consumers’ data, irrespective of where they are based. It expands the scope of the CCPA by adding new requirements for employers. This policy applies to businesses that:

  • Transfers or shares user data of more than 100,000 consumers
  • Has annual global revenue of over $25 million in the last 12 months
  • Derives at least half of its annual income from sharing people's data

Business obligations

  1. Employers are obligated to inform their employees and job applicants about how they handle their personal data. Hence, they must provide a privacy policy before collecting any personal information.
  2. Employers are required by law to respect employees’ data subject requests (DSR), like the right to access, delete, correct, know, access their information, etc.
  3. Businesses are obligated to enter into a data processing agreement (DPA) with third-party service providers or companies that may have access to their human resources data.
  4. Entities must follow robust security procedures to protect users’ personal information from unauthorized access, misuse, or disclosure.

Enforcement and fines

The California Privacy Protection Agency (CPPA) will be in charge of enforcing privacy protection laws in California. The agency has the right to give defaulting entities ample time to remediate before they are fined for violations.

Defaulters can be fined up to $7,500 per intentional violation and $2,500 for every unintentional violation. As part of CPRA’s policy, if a company knowingly violates any privacy laws protecting minors’ data, it’s subject to $7,500 for each infraction.

Steps businesses should take toward compliance

It's essential for any business that has employees or contractors in California to prepare for the new regulation. To make sure your business is compliant with the CPRA, now is the time to act and create a plan with your company’s legal, technology, privacy, and HR team to be ready for when the law goes into effect.

Review and update your privacy policy

The CPRA requires that all businesses that collect, use, and disclose personal information from consumers must be transparent about their practices and seek customer consent before using or sharing their data for third-party advertising purposes. Companies should therefore ensure that they update their privacy notices to reflect new employees’ and applicants’ rights.

Carry out a data mapping exercise

Organizations should understand the personal information associated with their employees by carrying out a data mapping exercise. It is important to know what data the organization collects on its employees, how it is saved, and if the information is shared or processed with third parties.

This exercise allows employers to identify any problems that may exist in their privacy and security systems and to ensure they comply with the extensive CPRA regulations.

Create an up-to-date DPA 

Companies should ensure they have an up-to-date DPA sub-processors list that includes all third-party vendors that process employees' personal information.

Conduct risk assessments

With the increase in cyber-attacks, privacy and information security have become a top priority for businesses across the globe. It's well-known that data breaches can significantly impact a business's reputation, brand, bottom line, and competitive position. Accordingly, it is recommended that CPRA-regulated companies conduct risk assessments to understand and fill compliance gaps.

Companies should perform regular risk assessments of processing activities to determine whether they pose privacy risks. An important factor to consider when evaluating a processing activity is whether an employee's sensitive PI data is used. In assessing processing activities, privacy risks must be weighed against the benefits they provide. Businesses should consider the risks they face and come up with a strategy that takes these risks into account.

How Mine PrivacyOps can help

The Mine PrivacyOps platform makes it easy to comply with privacy regulations like the CCPA. Streamline and automate your DSR handling, data mapping, and privacy risk assessment with the no-code privacy suite that can be set up in less than thirty minutes.