The CPRA Grants Novel Data Rights to Employees. Are You Getting Ready?

September 3, 2021


The California Privacy Rights Act (CPRA), which goes into effect on January 1, 2023, was enacted to offer more robust protections to California consumers – but California workers have been granted novel privacy rights under the CPRA too. Here’s what you need to know:

Who is Covered by the CPRA?

The protections offered under CPRA extend to California residents whose personal information is collected as a function of their work. This includes employees, independent contractors, and job applicants (California workers). Any employer who meets the general CPRA thresholds will be required to comply with the new obligations relating to employee data (Covered employers).

Data Rights for California Workers

The rights to know, correct and delete personal information, which have become a common feature of consumer-focused privacy laws in the U.S. and abroad, are extended through the CPRA to California workers, giving workers novel rights of control over the personal information held by employers and third parties acting on behalf of an employer.

California workers are also given the right to opt out of the sale and/or sharing of their personal information. They are further able to limit the use of their sensitive personal information.

Employers are not permitted to retaliate against California workers who choose to exercise their rights under CPRA.

Practical Implications of the CPRA’s Data Rights for California Workers

In practice, we expect the right to know to be the most burdensome to employers. While California workers are granted the right to delete personal information, the reality is that laws which require employers to retain HR records for certain periods or which allow employers to retain documents and data that would aid their defense in an employment law claim curtail the rights granted to California workers under the CPRA. Similarly, the phrasing of the right to correct personal information in the CPRA limits this right to objectively false information. This category would include information such as an outdated address. Subjective information, such as a supervisor’s opinion contained in an employment record, is not required to be changed under the CPRA.

If presented with a request from a California worker exercising his or her right to know, employers must provide the following details:

  • Categories of personal information it has collected about the California worker.
  • Categories of sources from which the personal information is collected.
  • The business or commercial purpose for collecting, selling, or sharing personal information.
  • Categories of third parties to whom the employer discloses personal information.
  • Categories of personal information sold or shared and categories of third parties to whom the personal information was sold or shared, if any.
  • Categories of personal information disclosed by the employer about the California worker for a business purpose and the categories of persons to whom it was disclosed.

Action Items for Covered Employers of California Workers

To prepare for the expanded rights coming into effect in 2023, employers should:

  • Create a privacy policy that contemplates the rights of California workers.
  • Map data flows, including the collection, use, storage, transfer, and deletion of the personal information of California workers.
  • Develop processes for California workers to request information.
  • Develop an internal framework to respond to these requests.
  • Train relevant employees on the handling of personal information, including the personal information of California workers.

For assistance developing your privacy policies and internal processes, get in touch. We’re here to help!


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you