Skip to main content

On-demand webinar coming soon...

Blog

CPRA employee privacy rights moving ahead

Employee rights under the CPRA will take effect January 1, 2023

Tess Macapinlac, OneTrust Lead Privacy Counsel
September 8, 2022

Gradient blue and purple

The California assembly failed to enact two amendments that sought to extend the grace period for employee rights under the CPRA. This may be unwelcome news to businesses that were banking on another extension. As it sits now, organizations have a matter of months to get their B2B and HR personal information practices in line before the impending effective date. 

Employee rights up to this point

Under the CCPA employees were specifically exempted from consumer rights and were limited to only a right to know and a right to private action in the event of a breach of unencrypted data. This exemption was due to expire on January 1, 2021, but the passing of the CPRA on November 3, 2020, extended the exemption for employees’ rights until January 1, 2023. Now, with the failure of AB 2871 and AB 2891, B2B and HR personal information will be under the same regulation as consumer data as of Jan 1. 

The CPRA will extend new rights for employees which presents a unique set of challenges for organizations. The most notable is understanding what employee data they hold and where that data is stored. Organizations will therefore have to prepare for this new scope of data ahead of the 2023 effective date, considering the CPRA’s lookback period beginning January 1, 2022.

Let’s look at some of the challenges the CPRA’s employee rights will present to organizations as well as ways to prepare. 

What are the employee rights under the CPRA?

Under the CPRA, employees will be able to exercise six new rights including: 

  • Right to know 
  • Right to correction 
  • Right to deletion 
  • Right to opt-out of sale or share 
  • Right to limit use and disclosure of sensitive personal information 
  • Right to not be retaliated against for exercising rights

Organizations need to consider these new rights for employees and how they will fulfill requests. This will involve implementing or leveraging existing processes to understand this new scope of data as well as finding effective ways to manage the request lifecycle.

What do organizations need to do to prepare for employee rights under the CPRA?

There are several key factors that organizations need to consider. First, understand the data that falls under the scope of an employee rights request. This means knowing the classification of the data (e.g., sensitive personal information), where that data lives, and who has access to it, among other things. The challenge with understanding what data your organization has is finding it.

Manage intake and identity verification

Organizations must implement the correct processes for managing employee rights requests. When the employee exemption expires, organizations should be prepared for an influx of rights requests and therefore an easily accessible intake method for such requests will be key. Intake submission forms can be placed on websites or through employee portals to centralize the process and can be embedded into existing IT ticketing systems for increased efficiency in managing the requests.

Organizations should also consider how they will verify the identity of the requester as well as automating the discovery of their information. When identities have been verified and personal information has been discovered, the redaction of information related to other individuals or proprietary information is essential for fulfilling the request. 

Show me the data

Vast quantities of employee information are stored within unstructured data sources and when performed manually, discovering employee information can be a time-consuming exercise. Employee data can be spread across structured and unstructured data sources in cloud and on-prem systems. When dealing with an influx of requests the need for automated data discovery becomes apparent.

Once data has been found, organizations should look to catalog this data in a centralized inventory. This will assist with the discovery of requesters’ information as well as giving visibility into the classification of the data, where it’s stored, and who has access to it.

Consider redaction

Embedding automated redaction solutions into the fulfilment process will help organizations save time and increase efficiencies across multiple requests. Having found and prepared the appropriate information to fulfill the employee rights request, organizations should ensure they have a secure method of sharing this with the requester such as encryption or via a secure messaging portal.

How does OneTrust help with CPRA Employee Rights?

OneTrust Privacy Rights Automation shortens DSAR turnaround by automating the employee request lifecycle. The tool covers everything from intake to fulfillment and can be embedded into existing channels such as your website and employee portals. It can also be used with existing IT ticketing systems and can help streamline the identity verification process and automatic discovery of data associated with the requestor. Using AI & ML-driven classification models, OneTrust Privacy Rights Automation redacts sensitive information that should not be shared with the requestor, as well as information related to other individuals, and delivers the information to the requesters through an encrypted messaging portal. 

OneTrust Data Governance solutions help you discover and simplify everyday access to data. Leverage Data Discovery to scan both structured and unstructured data sources across cloud and on-premise systems to help find employee-related data. The automated data discovery solution classifies personal and sensitive personal information and extracts metadata to assist in the cataloging of information and the fulfillment of requests.

Request a demo to learn how OneTrust supports CPRA compliance and get prepared for the expanded scope of employee rights. 


You may also like

Webinar

Privacy Management

CPRA in action: OneTrust Live Demo

Join us for a deep dive tour of our suite of technology solutions for operationalizing and automating CPRA requirements across Do Not Share, Consumer Rights and privacy governance operations.

August 01, 2024

Learn more

Webinar

Privacy Management

Going beyond CCPA

Join us for an in-depth webinar on "Going Beyond CCPA," where we will explore the intricacies of privacy laws, compare major regulations, and provide guidance on enhancing your privacy policy.

July 25, 2024

Learn more

Webinar

Privacy Management

The evolution of CCPA

Join us for an insightful webinar on "The Evolution of CCPA" where we will delve into the latest amendments, understand their impact, and explore the new requirements and implications for businesses.

July 18, 2024

Learn more

Webinar

Privacy Management

Mastering data privacy: Navigating CCPA, CPRA, and beyond

Mastering Data Privacy: Expert Guidance on CCPA, CPRA, GDPR Compliance, Privacy Policy Best Practices, and Live Demo Insights

July 18, 2024

Learn more

Webinar

Privacy Management

Spring into action! Navigating CPRA: Ensuring compliance and protecting privacy

Join us for an interactive webinar we dive into the CPRA, which will go into force on March 29th.

March 21, 2024

Learn more

Webinar

Privacy & Data Governance

Common CPRA compliance questions answered

Attend OneTrust DataGuidance’s webinar to learn from experts about the CCPA, as amended, and its most pressing compliance questions.

March 21, 2023

Learn more

Webinar

Privacy Management

Data Privacy Day: Protiviti & OneTrust

Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.

January 26, 2023

Learn more

Checklist

Privacy Management

7 steps to CPRA compliance

Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.

January 24, 2023

Learn more

Webinar

Privacy Management

California’s CPRA enters into effect – Are you compliant?

Watch this on-demand webinar to get an overview of the CPRA including new obligations for businesses and exemptions for select organizations.

December 06, 2022

Learn more

Webinar

Privacy & Data Governance

Expert panel: U.S. Data privacy countdown to 2023

In this webinar, you will learn what challenges the new CPRA employee rights will introduce, which CCPA learnings apply as you prepare for CPRA, and more.

October 31, 2022

Learn more

Webinar

Privacy Management

Employee vs. consumer rights: Same concept, different reality

Join this webinar to learn about the rights request fulfillment complexities introduced by the end of the employee exclusion in the CPRA.

August 25, 2022

Learn more

eBook

Privacy & Data Governance

How to comply with the CCPA opt-out requirement

Download this guide to learn how you can comply with the CCPA's opt-out requirements to get on the right track to CCPA compliance.

July 22, 2022

Learn more

Webinar

Privacy & Data Governance

Understanding the New CPRA draft regulations & the ADPPA

In this webinar, Odia Kagan explained what is new in the draft CPRA regulations and the American Data Privacy and Protection Act (ADPPA).

July 08, 2022

Learn more

White Paper

Privacy & Data Governance

How OneTrust helps with California privacy law compliance (CCPA & CPRA)

This guide to California privacy law compliance helps your organization understand the requirements under the CCPA and CPRA.

June 23, 2022

Learn more

eBook

Privacy & Data Governance

Comparing US state privacy laws

Download this eBook and explore the key areas of US state privacy laws and how they compare. 

June 15, 2022

Learn more

Webinar

Data Discovery & Security

Build your foundation through data discovery & mapping

In this webinar we cover how data discover and mapping helps you streamline compliance with US privacy laws such as the CPRA, the CDPA, and Colorado's Privacy Act.

March 24, 2022

Learn more

Webinar

Privacy Management

Employee rights: Prepare for the CPRA’s Employee Inclusion

Watch this webinar and prepare for compliance with the CPRA's employee rights requirements. 

March 24, 2022

Learn more

Webinar

Privacy & Data Governance

Preparing for the CPRA: 5 things to do right now

Watch this webinar and start doing these 5 things to help you prepare for the California Privacy Rights Act (CPRA). 

March 16, 2022

Learn more

Webinar

Data Discovery & Classification

Meeting California's employee privacy rights requirements

Watch this webinar to learn more about California's employee privacy rights requirements and how to comply.

March 08, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 3

Watch our webinar on US privacy laws and gain insight on effective personal information managment strategies.

February 02, 2022

Learn more

Checklist

Privacy & Data Governance

California Privacy Rights Act (CPRA) compliance checklist

The CPRA's effective date is on the horizon and with it comes several new requirements. Download this checklist and work towards CPRA compliance.

January 27, 2022

Learn more

Webinar

Privacy Management

US Privacy series: Effectively governing personal and sensitive personal information part 2

Join us for an overview of US privacy laws and strategies for dealing with compliance.

January 11, 2022

Learn more

Webinar

Privacy & Data Governance

Know your laws: Comparing CCPA & CPRA vs. GDPR

Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.

January 04, 2022

Learn more

Webinar

Privacy Management

[Part 1] US Privacy Series: Establishing a foundation for compliance

In the first part of our US Privacy Series, we discuss US privacy laws such as the CPRA and best practices towards compliance. 

December 21, 2021

Learn more

Infographic

Privacy & Data Governance

Employee rights under the CPRA

Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA. 

December 07, 2021

Learn more

Webinar

Privacy Management

CCPA, CPRA, and Global Privacy Control: Moving toward a more private web

Watch this webinar to learn about Global Privacy Control (GPC), how it centralizes user opt-out preferences, and streamlines compliance with CCPA and CPRA. 

September 08, 2021

Learn more

Webinar

Privacy & Data Governance

CPRA vs CCPA: What you need to know

Join us for a webinar as our legal experts discuss the key differences between the CPRA vs the CCPA.

July 22, 2021

Learn more