CPRA employee privacy rights moving ahead

Employee rights under the CPRA will take effect January 1, 2023

Tess Macapinlac, OneTrust Lead Privacy Counsel
September 8, 2022

Gradient blue and purple

The California assembly failed to enact two amendments that sought to extend the grace period for employee rights under the CPRA. This may be unwelcome news to businesses that were banking on another extension. As it sits now, organizations have a matter of months to get their B2B and HR personal information practices in line before the impending effective date. 

Employee rights up to this point

Under the CCPA employees were specifically exempted from consumer rights and were limited to only a right to know and a right to private action in the event of a breach of unencrypted data. This exemption was due to expire on January 1, 2021, but the passing of the CPRA on November 3, 2020, extended the exemption for employees’ rights until January 1, 2023. Now, with the failure of AB 2871 and AB 2891, B2B and HR personal information will be under the same regulation as consumer data as of Jan 1. 

The CPRA will extend new rights for employees which presents a unique set of challenges for organizations. The most notable is understanding what employee data they hold and where that data is stored. Organizations will therefore have to prepare for this new scope of data ahead of the 2023 effective date, considering the CPRA’s lookback period beginning January 1, 2022.

Let’s look at some of the challenges the CPRA’s employee rights will present to organizations as well as ways to prepare. 

What are the employee rights under the CPRA?

Under the CPRA, employees will be able to exercise six new rights including: 

  • Right to know 
  • Right to correction 
  • Right to deletion 
  • Right to opt-out of sale or share 
  • Right to limit use and disclosure of sensitive personal information 
  • Right to not be retaliated against for exercising rights

Organizations need to consider these new rights for employees and how they will fulfill requests. This will involve implementing or leveraging existing processes to understand this new scope of data as well as finding effective ways to manage the request lifecycle.

What do organizations need to do to prepare for employee rights under the CPRA?

There are several key factors that organizations need to consider. First, understand the data that falls under the scope of an employee rights request. This means knowing the classification of the data (e.g., sensitive personal information), where that data lives, and who has access to it, among other things. The challenge with understanding what data your organization has is finding it.

Manage intake and identity verification

Organizations must implement the correct processes for managing employee rights requests. When the employee exemption expires, organizations should be prepared for an influx of rights requests and therefore an easily accessible intake method for such requests will be key. Intake submission forms can be placed on websites or through employee portals to centralize the process and can be embedded into existing IT ticketing systems for increased efficiency in managing the requests.

Organizations should also consider how they will verify the identity of the requester as well as automating the discovery of their information. When identities have been verified and personal information has been discovered, the redaction of information related to other individuals or proprietary information is essential for fulfilling the request. 

Show me the data

Vast quantities of employee information are stored within unstructured data sources and when performed manually, discovering employee information can be a time-consuming exercise. Employee data can be spread across structured and unstructured data sources in cloud and on-prem systems. When dealing with an influx of requests the need for automated data discovery becomes apparent.

Once data has been found, organizations should look to catalog this data in a centralized inventory. This will assist with the discovery of requesters’ information as well as giving visibility into the classification of the data, where it’s stored, and who has access to it.

Consider redaction

Embedding automated redaction solutions into the fulfilment process will help organizations save time and increase efficiencies across multiple requests. Having found and prepared the appropriate information to fulfill the employee rights request, organizations should ensure they have a secure method of sharing this with the requester such as encryption or via a secure messaging portal.

How does OneTrust help with CPRA Employee Rights?

OneTrust Privacy Rights Automation shortens DSAR turnaround by automating the employee request lifecycle. The tool covers everything from intake to fulfillment and can be embedded into existing channels such as your website and employee portals. It can also be used with existing IT ticketing systems and can help streamline the identity verification process and automatic discovery of data associated with the requestor. Using AI & ML-driven classification models, OneTrust Privacy Rights Automation redacts sensitive information that should not be shared with the requestor, as well as information related to other individuals, and delivers the information to the requesters through an encrypted messaging portal. 

OneTrust Data Governance solutions help you discover and simplify everyday access to data. Leverage Data Discovery to scan both structured and unstructured data sources across cloud and on-premise systems to help find employee-related data. The automated data discovery solution classifies personal and sensitive personal information and extracts metadata to assist in the cataloging of information and the fulfillment of requests.

Request a demo to learn how OneTrust supports CPRA compliance and get prepared for the expanded scope of employee rights. 

You may also like


Privacy & Data Governance

Common CPRA compliance questions answered

Attend OneTrust DataGuidance’s webinar to learn from experts about the CCPA, as amended, and its most pressing compliance questions.

March 21, 2023

Learn more


Privacy Management

Data Privacy Day: Protiviti & OneTrust

Join industry experts at OneTrust & Protiviti for an operational deep dive and interactive Q&A on the upcoming US State laws set to go into effect in 2023.

January 26, 2023

Learn more


Privacy Management

7 steps to CPRA compliance

Download this checklist to make sure your organization follows the right steps to implement processes that achieve California Privacy Rights Act compliance.

January 24, 2023

Learn more