Does the new California Privacy Rights Act (CPRA) apply to employers?

Does the new California Privacy Rights Act (CPRA) apply to employers?

Yes, the California Consumer Privacy Act will apply in full to human resources data. This means the individually identifiable information of your applicants, employees, independent contractors, dependents, and other HR data of California residents.

The California Privacy Rights Act or CPRA is the first law in the United States to apply comprehensive data protection to human resources data. It applies to employers that are:

  • For-profit companies
  • Doing business in California and
  • Collecting the personal information of California residents
  • And that meet certain size thresholds, for example, over $25 million in global annual revenue.

The law is long and demanding, but the three main obligations are:

  • Post a detailed privacy policy about how the employer handles human resources data
  • Comply with new rights regarding human resources data. This includes the rights to delete, correct, and get a copy of specific pieces of personal information; and
  • Include specific CPRA provisions in contracts with vendors that handle human resources data.

Employers subject to the CPRA need not scramble to comply yet. The provisions of the CPRA relevant to businesses do not come into force until January 1, 2023. However, employers should start now on implementing the policies, procedures, and other compliance measures to address the CPRA’s requirements.

If subject to the CPRA, employers should consider taking the following steps now:

  • Identify the teams that will lead their CPRA compliance efforts;
  • Commence a data-mapping exercise to identify all repositories of HR data and how the company handles that data; and
  • Based on the results of the data mapping, develop a plan to achieve compliance with the CPRA by January 1, 2023.

To help you get up to speed on the CPRA, our privacy team has created a webpage on the CPRA for employers, www.littler.com/cpra, with articles, podcasts, and other resources.

Littler has also developed a CPRA Compliance Suite with template privacy policies, data-mapping tools, template agreements, and many other documents. 

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.