The California Privacy Rights Act (CPRA) supplements the California Consumer Privacy Act (CCPA), extending privacy rights to employees and placing new compliance requirements on employers. Read on to discover how CPRA changes CCPA employer requirements and its impact on HR data handling, and learn the best ways to remain compliant.
What Is the CCPA?
The CCPA first came into effect in 2020 and is a comprehensive data privacy law that grants California residents rights over the handling of their personal information. These include the right to:
- Know what information is collected, used, shared, or sold by businesses
- Request the deletion of personal information held by businesses
- Opt out of the sale of their personal information
The law requires companies doing business in California to inform their customers about data practices and implement reasonable security measures to protect personal information. By providing legal protection for consumer data, California became one of the first states to introduce legislation similar to the EU’s General Data Protection Regulation (GDPR).
What Is the CPRA?
The purpose of the CPRA is to extend and enhance privacy rights, particularly in light of technological advancements and evolving privacy concerns. It amends and expands upon existing CCPA employer requirements without replacing them. The law gives California residents more control over their personal data and imposes new requirements on businesses.
HR data and employee information were exempted from the CCPA’s original compliance and protection requirements. With the CPRA, those exemptions have been allowed to expire and all the privacy rights and protections in the CCPA have now been extended to employees, job applicants, and contractors. This means that companies must meet these new compliance requirements and take appropriate steps to protect HR data.
The CPRA also introduces new concepts such as “sensitive personal information,” and authorizes the California Privacy Protection Agency (CPPA) to enforce these laws and ensure that companies maintain compliance.
Who and What Do CPRA/CCPA Employer Requirements Cover?
Understanding the scope of the CPRA is vital for HR departments to correctly determine their specific compliance obligations.
Any company doing business in California is considered to be a regulated entity under the CPRA, if it fulfills one of the following requirements:
- Reports an annual gross revenue of at least $25 million
- Buys, sells, or shares the personal information of at least 100,000 California residents
- Derives at least 50% of revenue from selling or sharing the personal information of California residents
If your business meets these criteria, a wide range of your employee data is subject to the CPRA. This includes personal information collected in the course of the employment relationship, such as contact details, resumes, employment history, performance evaluations, and benefits information. In addition, the CPRA also gives employees the right to control additional “sensitive personal information” such as Social Security numbers, financial information, and biometric data. In order to be fully compliant with CPRA, companies must take steps to protect this employee data in all its forms, including using techniques such as redaction and encryption.
Why CPRA/CCPA Compliance Is Critical for HR Departments
If HR departments fail to comply with their CPRA/CCPA obligations, they leave themselves and their businesses on the hook for hefty fines and costly legal action. It’s also important to note that the CPRA gives employees the right to seek damages for breaches of certain sensitive data. Even without running into legal action or fines, being accused of non-compliance can cause harm to your organization’s reputation. Employees, consumers, and business partners alike are likely to lose trust in companies that fail to adequately protect private information and comply with the law.
Implementing effective HR data protection measures, like redaction, is an essential tool to safeguard employee privacy, maintain compliance, and protect the integrity of your firm.
What Are the Key CPRA Requirements for Employee Data?
The California Privacy Rights Act introduces several new requirements for managing employee data, including:
Expanded Privacy Notices
Employers must now provide employees with a comprehensive privacy notice that includes information on the categories of personal information collected, the purposes for collection, and the length of time the data will be retained. This privacy notice must also inform employees of their rights under the CPRA, including the right to access, delete, and correct their personal information.
Expanded Employee Rights
Employees now have the right to access and obtain a copy of their personal data, request deletion of their data (subject to certain exceptions), and correct inaccurate information. The CPRA also gives employees the right to limit the use and disclosure of their sensitive personal information and opt out of the sale or sharing of their data.
Data Retention Limitations
Personal information must not be retained for longer than is reasonably necessary for the disclosed purposes. Businesses are now required to inform employees of the length of time they intend to retain each category of personal information and the criteria used to determine the retention period.
One way to maintain compliance with these data retention limitations is to use automated redaction software to effectively remove all unnecessary sensitive data from documents as soon as they are received.
5 Top Strategies for CPRA Compliance in HR Data Management
There are several effective strategies you can use to overcome the new compliance burdens imposed by the CPRA/CCPA employer requirements:
1. Conduct a Data Inventory and Mapping Exercise
Identify all categories of employee data collected, processed, and shared by your organization. Map the flow of this data throughout your organization and examine your processing strategies, retention periods, and third-party access to data.
2. Update Privacy Policies and Notices
You likely already have a framework of privacy policies and notices that you employ for both internal and external communication. Revise this documentation to include the CPRA-required items such as the categories of personal information collected, the purposes of collection, and employee rights. Ensure that privacy notices are provided to your employees at the moment of data collection and are easily accessible at all times.
3. Implement Data Retention and Deletion Processes
It’s important to establish clear data retention policies and procedures that align with CPRA/CCPA employer requirements. Develop and implement processes for securely deleting or anonymizing employee data when it is no longer needed for the disclosed purposes. Using redaction software can help protect sensitive information while retaining only the data required for legal and compliance purposes.
4. Develop Procedures for Handling Employee Rights Requests
As the CPRA grants employees the right to make requests in relation to their data, you must ensure you have an established process for receiving, verifying, and responding to such requests. You must also provide your HR staff with training on how to handle access, deletion, correction, and opt-out requests.
5. Review and Update Third-Party Contracts
Assess existing contracts with third-party vendors and service providers that manage employee data. Consider if you need to update contracts and data processing agreements to include CPRA/CCPA employer requirements and ensure vendor compliance. Require vendors to implement encryption and redaction measures to protect employee data.
Redactable's AI-Based Redaction Platform for CPRA Compliance
HR departments can streamline CPRA compliance by using Redactable’s AI-based redaction platform to enhance their data protection efforts.
Among its many benefits, Redactable offers:
- An auto-redaction wizard that quickly identifies and permanently redacts sensitive employee information
- Time-stamped redaction certificates for efficient redaction activity monitoring and audit trails
- A user-friendly interface and step-by-step guidance that reduce the risk of human error
- A built-in OCR tool to enable the redaction of scanned physical documents, eliminating the need for manual redaction and saving valuable time and resources
Redactable prioritizes the security of personal and sensitive information, ensuring that employee data always remains protected throughout the redaction process.
Effective Compliance Is Intentional
The CPRA extends the protections granted to consumers under the CCPA to employees, contractors, and job applicants and introduces a number of new compliance obligations. It’s important to take proactive steps to align your employee data management practices with these additional CPRA requirements.
With Redactable’s AI-based redaction platform, you can instantly remove sensitive data and achieve effective compliance with the click of a button.
Discover how Redactable can help your HR data management by signing up for a free trial today!