Managing Employee Data Under CPRA

6 minute read. Learn how CPRA applies to managing employee data.

‍
‍The California Privacy Rights Act of 2020 (CPRA) is a significant consumer privacy law that applies comprehensive data protection to human resources data. This includes the individually identifiable information of job applicants, employees, independent contractors, dependents, and other HR data of California residents. The legislation regards these employees as “consumers,” granting them specific rights.

The law applies to for-profit companies that:

• Transact business in California and
• Collect the personal information of California residents
• Meet certain thresholds, for example, over $25 million in global annual revenue

Under the CPRA, by January 1, 2023, employers must have implemented procedures that allow this class of consumer control over their personal information. This control includes methods that are easily accessible to consumers, allowing them to:

• obtain their personal information
• delete or correct personal information
• opt out of the sale of personal information
• opt out of showing personal data across business platforms, services, businesses, and devices.

Importantly, the CPRA limits the use of sensitive personal information to the use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

An employer must implement procedures that notify employees of their rights. Employers are also required to implement procedures through which:

• Employees may exercise their rights
• Employer complies with a request
• Employer notifies the employee of the employer’s response to the request

The CPRA empowers employees to:

1. Request that a business delete any personal information about the employee that the business has collected from the employee
2. Request that an employer that maintains inaccurate personal information about the employee correct the inaccurate personal information
3. Know what personal information is being collected
4. Access the personal information held by the business
5. Know what personal information is sold or shared, and to/with whom it is sold or shared
6. Opt out of the sale or sharing of personal information

If they haven’t already, employers need to start the compliance process by implementing policies, procedures, and other compliance measures that satisfy the CPRA requirements.

How can PrivacyCare help?

To cost-effectively ensure you are complying with privacy regulations, you need to track employee requests to opt-out, review, access, delete, and obtain their data. Without an accurate system for tracking the status of each request, you risk costly penalties and reputational damage.

To strengthen and enhance CPRA compliance, PrivacyCare offers a system that features:

1. Customizable data-subject-request (DSR) forms that employees can use to initiate their data request.
2. Employee authentication.
3. A flexible record-keeping system that can support any DSR process, helping businesses comply with multi-state data privacy laws.
4. A database of the DSRs and their status.
5. A cost-effective solution that avoids unnecessary upgrades involving data analytics, data management, and data security functions.
6. A SaaS platform that eliminates the need for businesses to purchase and manage hardware or software.
7. Up-to-date with latest changes to data privacy laws across the U.S.

For help with your employee data privacy compliance challenges, get started here.