Navigating Employer Challenges Under the CPRA

April 21, 2023

We held a webinar about HR compliance under the CPRA in early March. During the webinar, our hosts Jessica Clark and Lindley Fraley asked the attendees about the challenges they were anticipating under California’s new privacy law.  

The outcome was:  

In this article, we’ll highlight some practical tips to overcome the three challenges that received votes in our webinar:  

Balancing Data Minimization Against Legal and Record-Keeping Requirements 

The principle of data minimization means only collecting and storing data for a specific purpose and disposing of that data once it is no longer required. In the employment context, this is a significant change for businesses in California – and the scope of the new employee rights is posing large challenges for employers.  

Fortunately, there is a key tool that businesses can employ to instill confidence in the management (and deletion) of employee data: data maps.  

 Data Maps Help Companies Better Implement Data Minimization 

Data maps outline what personal information businesses collect, as well as where it is transferred and stored. And generating complete data maps can help employers understand what personal information they actually hold about employees and to better manage that data.  

With an up-to-date data map, employers are in a better position to implement processes to routinely delete data that is no longer needed for business purposes (like employee emails and Slack/Teams channel communications) and no longer required to be kept under other federal, state, and local retention requirements (a general rule of thumb is if the data is more than 4 years old re-assess whether you are still required to keep it). Data maps are the foundation of any data minimization program and they’re a key feature of furthering compliance with California’s privacy and employment laws.  

Responding to Access and Deletion Requests 

Responding to access and deletion requests from employees is typically more complicated than managing non-employee requests. This is in large part due to the volume and nature of the data you collect about your employees.  

For instance, it is significantly more likely that the information you hold about an employee is intermingled with the personal information of another employee or confidential information or trade secrets held by the business. So, it’s critical that this information is redacted or otherwise excluded before this information is deleted – or worse, forwarded to an individual requestor.  

These five steps can help your company streamline your response to an employee (or ex-employee) request for access or deletion:  

  1. Verify the requestor’s identity (this is a crucial first step in any request to access personal data).  
  2. Determine the nature and scope of the request.  
  3. Reflect on what data falls under the scope of the request and whether any exceptions apply to that data.  
  4. Collate the data that is available for the employee to access (or able to be deleted).  
  5. Document the steps you took, and your reason for taking those steps and store that documentation.  

Providing Notice to Individuals About Data Collection 

Finally, employees are entitled to notice about the information being collected about them either at or before the point of collection. The notice must outline the categories of data being collected, the purpose for the collection, and the retention period. Additionally, each category of ‘sensitive’ personal information must be expressly included in the notice.  

For most employers, complying with the notice requirements will be a matter of developing employee-specific privacy policies and collection notices and distributing them to employees at relevant intervals. Small changes to recruiting and onboarding processes will also be required, such as ensuring that collection notices are provided to job candidates during the application process.   

For a more in-depth discussion about these topics, watch our webinar replay on the California Privacy Rights Act: Understanding  Your HR Compliance Obligations. And don’t hesitate to reach out for assistance in navigating the additional HR obligations under the CPRA. Our employment and privacy attorneys would love to help.  


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you