California Employers: California Privacy Rights Act Goes Full Effect January 1, 2023 – Privacy

The final result

  • Employer responsibilities will be significantly expanded effective January 1, 2023 in light of the expiration of the CPRA employee data exemption.

  • California employers must comply with notice requirements and new individual rights such as access and erasure.

  • California employers should now take steps to comply before January 1, 2023, including taking stock of the information collected from employees, applicants and independent contractors, where it is stored and how it is used, and updating their privacy policies.

When the California Privacy Rights Act (CPRA) goes into effect on January 1, 2023, affected organizations will be subject to the same stringent requirements for the collection, retention, and use of employee data that the CPRA mandates for consumers. Affected companies must, among other things, post privacy policies that apply to employee data, provide specific notices, and be prepared to respond to data access requests.

When the current California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, it imposed numerous new privacy disclosure obligations on companies that collect personal information from California consumers. It also gave these consumers numerous rights, including the right to know what personal information was collected about them, the right to delete that personal information, and the right to opt-out of the sale of their personal information. Most of the obligations under the CCPA did not apply to personal information that a company collects about job applicants, employees, officers, or the roles of others within the company. However, this so-called employee exemption expires on December 31, 2022 – which is why the employee data protection obligations take effect at the beginning of the new year.

Covered Deals

The CPRA applies to a Covered Business, which is defined as a business or other entity that collects consumer personal information, conducts business in California, and that (i) had annual gross sales of at least $25 million for the preceding calendar year , (ii) buys, sells, or shares the personal information of at least 100,000 consumers annually, or (iii) derives at least 50% of its revenues from the sale or sharing of consumer personal information. A “Consumer” is any person who is a California resident, including California employees, independent contractors and job applicants.

What is personal data and sensitive personal data?

Under the CPRA, “personal data” is defined as “information that identifies, relates to, describes, can reasonably be linked, directly or indirectly, or could be linked to, a specific consumer or household”. It includes but is not limited to:

  • real name

  • address

  • unique personal identifier

  • Internet Protocol address

  • Email-address

  • social security number

  • Biometric Information

  • geolocation data

  • Conclusions from Personal Data

This also includes “sensitive personal data”, which is subject to discrete requirements as described below. Examples of sensitive personal information include information revealing an individual’s social security, driver’s license, ID card or passport number, precise geolocation, content of the individual’s mail, email, and text messages (unless the company is the recipient of the Notice) and, among other things, racial or ethnic origin, religious or philosophical beliefs or trade union membership.

Enhanced pre-pickup notification requirement

In addition to the obligation to inform individuals (including job applicants and employees) about the personal information collected and the purposes for which the categories of personal information are to be used, companies are required to inform individuals about whether the information will be sold or shared (eg provided by a payroll provider or an insurance company). If the company collects sensitive personal information, the same requirements apply to that information as well. Finally, companies must state in the notice how long the company intends to keep each category of personal data, including sensitive personal data. Importantly, companies cannot retain such information for longer than is “reasonably necessary” for the disclosed purpose for which the information was collected.

Right to erasure of personal data

Under the CPRA, individuals have the right to request that a company delete any personal information about them that the company has collected from the individual, and companies must notify individuals of this right. A company receiving such a request must not only delete the individual’s Personal Information from its records, but also notify any service provider or contractor to delete the individual’s Personal Information from their records and notify any third party to whom the Company sold or passed on the personal data to delete the personal data of the individual, unless this proves impossible or involves a disproportionate effort. However, companies may retain certain personal data, despite an erasure request, for a number of stated purposes, including to complete a transaction, to comply with a legal obligation, and for internal purposes reasonably aligned with the data subject’s expectations. These exceptions may be sufficient to cover much of the information and data collected about applicants and employees.

Right to rectification of inaccurate personal data

Individuals have the right to request that a company that holds inaccurate personal information about the individual correct that inaccurate information, and companies must notify individuals of that right and use commercially reasonable efforts to correct the inaccurate personal information.

Right to know what personal data has been collected

A person has the right to request that the Company disclose to him or her:

  1. the categories of personal data it has collected about that individual

  2. the categories of sources from which the personal data is collected

  3. the business or commercial purpose for collecting, selling or sharing personal information

  4. the categories of third parties to whom the Company discloses Personal Information; and

  5. the specific personal data it has collected about that individual.

Right to Object to the Sale of Personal Information

Under the CPRA, the concept of “selling” is much broader than the word would intuitively imply. “Selling” means the selling, renting, releasing, disclosing, distributing, making available, transmitting or otherwise communicating, whether oral, written or electronic or otherwise, a consumer’s Personal Information by the Company to a third party for money or other consideration of value.”

While it is unlikely that many companies will sell personal information about employees to third parties, those individuals always have the right to object to the sale or disclosure of such information. Such companies must provide notice that information may be sold or shared, and individuals have the right to opt-out of the sale of their personal information. Such opt-out must be honored unless and until the individual subsequently consents to the sale of their personal information. Companies can apply for such permission no earlier than 12 months after the initial opt-out.

Right to Restrict Use and Disclosure of Sensitive Personal Information

Individuals also have the right to instruct a company that collects sensitive personal information to restrict the use of that information

  • “those uses necessary to perform the services or to provide the goods that could reasonably be expected of an average consumer requesting those goods or services”

  • certain “business purposes” within the meaning of the CPRA and

  • as permitted by forthcoming regulations.

Employees must be informed of this right. Note that the new California Privacy Protection Agency (CPPA), created by the CPRA and tasked with enforcing the CPRA, is working on implementing rules – but these rules are still in draft form and are not yet final.

No retaliation

The CPRA expressly prohibits discrimination against an individual because the individual has exercised any of their rights, including the right to opt out, under the CPRA. This prohibition includes, but is not limited to, retaliation against any employee, applicant or independent contractor for exercising their rights under the CPRA.

Notification, Disclosure, Correction and Deletion Obligations

Businesses must provide two or more specified methods for making requests for disclosure of personal information that is collected, shared or sold and to whom, to delete personal information or to correct inaccurate personal information, including at least one toll-free telephone number. Businesses with an Internet website must also make the website available to individuals to make these requests.

Once a request is received, a company must acknowledge receipt of the request within 10 business days and respond with the required information or action within 45 days free of charge. The required disclosure must be in writing and made in accordance with CPRA requirements. The request may cover a 12-month look-back period or longer under upcoming regulations. In any event, such disclosures need only be made for information collected on or after January 1, 2022. In particular, companies are required to respond no more than twice to an individual’s request for personal information collected, shared, or sold, and to whom, within a 12-month period.


Employers should take steps now to prepare for CPRA compliance. Actions to consider include data mapping of employee, applicant and independent contractor information, and implementation of policies and procedures to provide necessary notifications and respond to requests.

The content of this article is intended to provide a general guide to the topic. In relation to your specific circumstances, you should seek advice from a specialist.