Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Employee personal information was regulated in California even before passing the California Privacy Rights Act(CPRA). This law was made to amend what was already held by the California Consumer Privacy Act (CCPA), so you cannot get a complete picture of your data privacy requirements in California unless you understand the requirements of both privacy laws at once.
For now, the California legislature has three data protection laws: the CCPA, CPRA, and CalOPPA. The first two regulate employee data privacy.
Suppose you wondered how the CCPA and CPRA regulate employee personal information in California. In that case, the short answer is: comply with the CPRA, and you’ll avoid violations and penalties.
Explore more privacy compliance insights and best practices
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work.
Aside from data like name, email address, or phone number, it always includes sensitive personal information like social security numbers, financial data, health data, and, in some cases, biometric or geolocation data.
Aside from California residents’ data, data from individuals from other states and countries are also eligible for personal information as long as the business is based in California.
California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer.
Employers, like website visitors, must provide a privacy notice to job applicants, contractors, or employees during data collection. The privacy notice must include the following:
Aside from employee rights, employees have the same CPRA rights that consumers have, which are:
Employees can exercise their rights just like any consumer. They can submit employee requests via designated methods. The rules for consumers apply to them as well.
Access requests, or requests to know about disclosing sensitive personal information, are easier to honor. But if you get a request to delete something, you should see if there are any exemptions to this rule.
Businesses must sign written contracts with service providers to lay out the rules for data processing. This contract is very similar to the Data Processing Agreements required by the EU GDPR. If you use employee tracking software, any HR tool, job recruitment agencies, or software, they are all your service providers, and you need to sign a contract with them. The contract must include the following:
Employers must ensure that employee data is well-secured and the risk of data breaches is minimized. There is often sensitive personal information in employee data, so the employer must do regular risk assessments and cybersecurity audits.
For now, personal information processed in an employment context is exempt from the CPRA. It is explicitly exempt from its scope.
Aside from that, CPRA does not cover personal information processed as part of a business-to-business due diligence check on a product or service.
However, that changes very soon, and you’ll need to comply with the above mentioned CPRA requirements.
CCPA employee data requirements are inferior compared to those provided by the CPRA. Some of the employee data is exempt. For some, the law’s applicability is limited, such as for submitting employee requests. Under the CCPA, employees could submit only a request to know.
The CPRA extends employee rights to the other CCPA rights and the new rights established by the CPRA.
As we explained above, CPRA is far more extensive regarding employee personal information.
As a result, compliance with the CPRA will almost certainly imply compliance with the CCPA. However, check through all the CCPA requirements before concluding your compliance.
In addition, you have to consider your duties arising from California employment laws.
Aside from reading through the CPRA employee personal information requirements listed above, check out our extensive article on CPRA requirements in general.
Your CPRA compliance efforts should start by learning what you need to do first.
A gap analysis will help you realize where you stand now and where you need to go. You should begin by creating a data inventory for your company. A data mapping exercise would help you understand how data flows within your organization. That’s where you’re at right now.
From there, you can continue with the following:
This is just the minimum. There are more CPRA requirements to stay out of trouble with the California Privacy Protection Agency (CPPA).
By taking these steps, businesses will be able to comply with the CPRA's employee data requirements and help protect the privacy of their employees.
Schedule a call to learn more
