'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

What is the CPRA?

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot. 56% of California voters favored the law as it amends and strengthens consumer data privacy rights granted by the CCPA in 2018.

Most notably, the CPRA grants new privacy protection rights to the employees of covered businesses. The exemption for employee data (originally provided by the CCPA) is scheduled to end on the same day as when the CPRA becomes effective i.e January 1st 2023. CPRA’s enforcement will begin six months later, on July 1, 2023.

Organizations will have additional obligations to treat employee and consumer personal information similarly when the CPRA goes into effect. It is expected that the California Privacy Protection Agency (CPPA), the exclusive regulator and enforcement body set up by the CPRA, shall enact regulations that will adapt the CPRA requirements and business obligations towards employee data.

The new Employee rights under the CPRA

The CPRA grants the following DSR rights to employees concerning their Personal Information:

  • The right to access (Section 1798.105) - Employers must provide all PI data, including its categories, sources, collection purposes, retention periods, and third-party disclosures/sales to employees when requested.
  • The right to delete (Section 1798.106) - Employers must honor employees’ request to delete their PI data. For example, employees may ask organizations to delete their personal information after resigning and leaving the organization.
  • The right to correct (Section 1798.110) - Employers must allow employees to rectify inaccurate or obsolete PI data. For example, they may ask the organization to correct any inaccuracies in their employee record.
  • The right to opt-out of the sale/sharing of PI (Section 1798.115) - Employees now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.
  • The right to limit the disclosure of sensitive PI (Section 1798.120) - Employees may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.
  • The right to access information on automated decision-making (pending regulations) (Section 1798.130) - Employees will have the right to request information about automated decision-making processes based on their personal information. Employees may also request a description of the likely outcomes that will result from these processes.
  • The right to opt-out of automated decision-making (pending regulations) (Section 1798.135) - Employees may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”
  • The right to non-discrimination (Section 1798.185 and Section 1798.145(m)) - This means that organizations are not allowed to retaliate or discriminate against their employees for exercising their CPRA rights.

Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of fulfilling these rights. The solution turns manual work into an automated process that helps enterprises swiftly respond to data subject requests and enables coordination between stakeholders for reviews and approvals. 

Businesses’ obligations toward Employee Personal Information

Notice Requirement before Collection of PI and SPI
(CPRA Section 1798.100(a)/(CCPA Section 1798.100(b))

Similar to the CCPA requirement for notice which is applicable to employers right now, (despite the general exemption on employee data), as per the CPRA, businesses must also notify employees before or at the point of collection of their personal information (PI) or sensitive personal information (SPI). The notice must include the following details:

  • The categories of PI to be collected;
  • The purposes for which the PI is to be collected;
  • Whether the collected PI is sold or shared - the employee must be given the option to opt-out;
  • The retention period of keeping their PI or the method used to determine a reasonable period.

Securiti provides a Privacy Notice creation and management solution that ​utilizes automation and data intelligence to continuously scan data stores, which dynamically updates the disclosure with any changes to the collection, processing, sharing, selling, or retention of personal data in real-time, ensuring compliance.


Securiti’s Consent Management solution helps organizations automate the collection and management of user consent. The solution updates consent status in real-time across systems to ensure organizations always honor the latest, up-to-date preference of the user.

Restriction on collection/use of PI beyond the information provided in the Notice
(CPRA Section 1798.100(a) (CCPA Section 1798.100(b))

Businesses must not collect additional PI/Sensitive PI or use the already collected PI/Sensitive PI of employees for any purpose that is incompatible with the earlier disclosed purpose unless they provide a new notice to the employee.

Securiti’s data mapping solution helps organizations discover, identify, and map personal data to its owners. Organizations can then create privacy notices and incorporate sensitive data intelligence into their practices to ensure that all the data protection principles have been complied with.

Necessary, minimum, and proportionate PI collection, retention, and sharing
(CPRA Section 1798.100(c), Section 1798.145(m))

Businesses must only collect, retain and sell/share employees’ PI and sensitive PI that is necessary, minimum, and proportionate to the purpose it was being collected.

Transparent Privacy Policy
(CPRA Section 1798.130)

The CPRA requires employers to provide a transparent and accessible privacy policy to their employees or a California specific portion within their existing policy which should contain the following information:

  • A list of the categories of PI it has collected about its employees in the preceding 12 months;
  • Categories of sources from where it has collected employees’ PI;
  • Business or commercial purpose for collecting, selling or sharing employees’ PI;
  • Whether the business sells or shares employees’ PI or discloses it for a business purpose;
  • If the business sells or shares employees’ PI, a list of the categories of personal information it has sold or shared about employees in the preceding 12 months;
  • If the business discloses employees’ PI, a list of the categories of employees’ PI it has disclosed about employees for a business purpose in the preceding 12 months;
  • Categories of third parties to whom business discloses employees’ PI;
  • Employees' data privacy rights under the CPRA and the method to exercise them.

Securiti provides a Privacy Notice creation and management solution that ​recruits robotic automation and data intelligence to scan data stores, dynamically updating the disclosure with any changes to the collection, processing, sharing, selling, or retention of personal data in real-time, ensuring compliance.

Assessments for risky processing activities
(CPRA Section 1798.185 and 1798.145(m))

The CPRA mandates that businesses that process employees’ personal information in a manner that “presents a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.

This audit must be independent and thorough according to the law. To determine the applicability of the PI processing requirement, organizations need to consider the following factors:

  1. The size and complexity of data processing activities, and
  2. The nature and scope of data processing activities.

Businesses must plan now and engage a reliable third-party cybersecurity partner to complete the obligatory annual audits.

Regular Risk Assessments
(CPRA Section 1798.185 and 1798.145(m))

The CPRA also requires organizations to conduct regular risk assessments to evaluate the privacy risks of processing activities. One of the factors that can be used to evaluate a processing activity is the use of employees’ sensitive PI data. All assessments must weigh the privacy risks of the processing activity against the benefits that are provided. This assessment then needs to be submitted to the CPPA.

Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This will allow the organization to conduct timely risk assessments and identify problem areas quickly.

Securiti’s Assessment Automation solution utilizes A.I. to help organizations complete PIAs, DPIAs, Readiness Assessments, and Transfer Impact Assessments. The relevant assessment is automatically triggered based on the determined risk. 


Other Employee Data obligations of the Organization

Implement Reasonable Security Controls
(CPRA Section 1798.100(e) and Cal Civ Code 1798.81.5 read with CPRA Section 1798.150 (CCPA Section 1798.150))

Businesses must take reasonable and appropriate security practices to protect employees’ PI. Failure to undertake reasonable and appropriate security measures which result in a breach of the employees’ PI (or employee account and password details) may make the business liable to a private right of action. This action can range from $100 to $750 in statutory damages (or actual damages). However, the business has a period of 30 days after receiving the mandatory notice to remediate the issue.

Securiti’s data protection solution helps organizations assess data protection measures and enable appropriate security controls. Organizations can protect employee data by following a three step process:
  • First, organizations can detect & catalog current access & security controls on data assets.
  • Then, organizations can enforce data protection by automating encryption or masking on unprotected data.
  • Finally, organizations can apply Least Privilege,revoke or remove unauthorized or excessive access to data assets.

Breach Notification
(CPRA Section 1798.150 (CCPA Section 1798.150), Cal Civ Code 1798.81)

Businesses must notify employees of any breach of unredacted/unencrypted PI (or employee account and password details). Businesses must also notify employees if they encrypted the PI, but the encryption key/security credential is compromised. The notification should be made as soon as reasonably possible. This does not include the time taken to understand the breach’s scope and regain reasonable integrity of the system.

Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations meet breach notification requirements within hours of a security incident.

Contracts to carry forward protections
(CPRA Section 1798.100(d) and Section 1798.145(m))

Businesses must enter into contracts with the third-party, service provider, or contractor with whom it sells or shares employees PI with, to ensure: 

  • The PI of employees is sold/shared for a limited and specific purpose,
  • The third-party, service provider or contractor provides a similar level of privacy protection to employee PI,
  • The third-party, service provider or contractor notifies the business if it cannot provide the same level of protection to employee PI,
  • The business can take steps to remediate employees’ PI if a third party, service provider, or contractor fails to uphold their obligations.

Securiti’s Vendor Assessments solution helps organizations evaluate their current and prospective vendors’ compliance with global privacy regulations. Specifically, it assesses how the vendor manages personal information and privacy & security risks.It also reviews how well the vendor has implemented security measures, and how well the vendor complies with regulatory requirements.


CPRA Fines and Penalties

Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.

Also, organizations do not have the 30-day  period to remediate before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide the length of time to resolve the issue.

Learn more about the CPRA vs. CCPA here.

 

What can your organization do today to comply with CPRA?

The CPRA will take effect starting January 1, 2023, and enforcement will begin six months later (July 1, 2023). To learn more about the CPRA, and its importance, read this article.

Securiti has a suite of AI-powered solutions that have been customized to help organizations comply with the specific regulations of the CPRA.

Use Securiti’s solutions to:

Request a demo today and start your CPRA compliance journey with Securiti.

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Share this

Our Videos

View More
2:56

China’s PIPL

China has drafted its new data protection law, Personal Information Protection Law (PIPL) that will strengthen the regulatory framework for privacy and data protection in China.

Learn More
View More
3:03

South Africa’s POPIA Explained

The video gives an overview of South Africa's Protection of Personal Information Act (POPIA).

Learn More
privacy policy and notice management View More
02:26

Dynamic Privacy Policies & Notices

Automatically Update & Refresh Your Policies and Notices

Learn More
View More
02:37

Universal Consent & Preference Management

Simplify and automate universal consent management

Learn More
View More
01:53

Cookie Consent Management

Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.

Learn More
View More
3:06

Sensitive Data Intelligence

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Learn More