Get prepared for CPRA

How to ensure compliance when CPRA Starts in 2023

Client Challenge

Employee data is everywhere. There are resumes in inboxes, links to social media accounts, information housed in databases, SaaS, laptops. The list goes on.

As of Jan. 1, 2023, when the California Privacy Rights Act (CPRA) goes into effect, all California residents, including employees, job applicants, contractors and retirees, have the right to control their private data.

For-profit companies bringing in more than $25 million in revenue with employees living in California must properly manage all employee information, connecting the data dots between the systems, people, processes and policies that use and store that information.

Failure to properly connect those dots and manage employee data will lead to stiff penalties once CPRA goes into effect next year.

CPRA is an expansion of the California Consumer Privacy Act (CCPA). In addition to giving people control of their data, CPRA defines a new category of Sensitive Personal Information, which takes into consideration data categories like race and ethnic origin, religious beliefs and personal health information that could potentially impact ongoing Diversity Equity & Inclusion (DEI) operations and COVID-19 return-to-office processes.

These requirements build on CCPA and take it a step further. What was once implicit now becomes explicit with CPRA.

These data protection laws are already having an impact on global organizations. H&M Germany was fined $41.3 million for non-compliance with the EU’s General Data Protection Regulation (GDPR). Google was fined $57 million by France’s data protection watchdog and Marriott is facing a $124 million fine in the United Kingdom.

Additionally, the Great Resignation shows no signs of slowing, so employees are looking at leadership to provide reasons their organization is the right place for an employee to invest their commitment. One way to preserve employee-employer trust is to protect personal data. As this Washington Post article demonstrates, employees become distrustful when their data isn’t protected.

Implementing a CPRA compliance process will not only preserve company reputation and prevent fines from cutting into profits, but it also protects and preserves trust among employees who will feel confident their personal data is being properly managed and protected within the company.


What, exactly, constitutes personal information?

“Any information relating to an identified or identifiable person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identifier (such as IP address or device ID), or to one or more factors specific to the physical, physiological, genetic, mental, economic or social identity of that natural person.”

Under CCPA, companies were required to comply with customer requests for data. CPRA expands that to include employee data. That creates a problem privacy programs can’t simply solve through consent, because employees cannot legally provide consent.

With that in mind, each piece of information requires a business justification. Organizations can only collect what is needed and must delete everything else.

Some personal information requests include the right to delete personal information, the right to know what personal information is being collected and the right to opt out of sale or sharing of personal information.

To manage and process these data requests, business processes need to be implemented.


To ensure compliance with employee data rights under CPRA, the first step is to map the data, then implement strategy and process. HR data stewards must remain in sync with existing privacy requirements and upcoming regulations, utilizing a framework that establishes:

1 \ Common Privacy Control Objectives

· Stewards create a common set of privacy controls to cover the requirements of all relevant regulations, with a mapping between controls and regulatory requirements.

2 \ Privacy Risk

· Nearly every business process touches some piece of employee data. For example, every email contains names. To identify the business processes that require evaluation, adopt a risk-based approach that identifies business processes that involve sensitive employee data, large quantities of data and data sent to third parties, like SaaS vendors, among other data sources that have an elevated risk.

3 \ Data Usage

· Track the data through your systems and processes: Understand where the data comes from, identify what it is being used for and determine where it goes. Understanding those three components lets you identify which policies apply to the data and how those policies impact your business processes.

Data management and governance

In order to comply with privacy regulations, improvements need to be made to the way an organization manages data.

If an organization already has a data governance program, this is a great place to start. If not, it is helpful to create an initial data governance arrangement to address regulatory imperatives before launching a broader program.

If there is a data steward, or a similar position within an organization, include them in the project plan. They should also be involved in the data classification process.

Additionally, it is critical to identify and classify Personal Information (PI) and Sensitive Personal Information (SPI), while understanding how this data moves through your systems.

Recognize that one piece of data may be used in multiple systems, often with varying names. For example, SSN is often used as a unique identifier in many systems, but may be called Social, Tax ID, or just User ID. It’s important to identify all the various locations and names of this sensitive data in order to protect it and to comply with CPRA stewardship requests.

Start preparing now

Starting Jan. 1, 2023, it will become imperative for businesses to deftly manage all employee information, connecting the dots between data and the systems, people, processes and policies that use it to ensure compliance with CPRA. Navigating these new regulations now not only ensures an organization will avoid costly fines later, but it will also build trust among employees.

To ensure compliance with CPRA, start (or upgrade) your employee privacy program now.

Unify can assist with each portion of the process. Here are some functional steps to take:

1 \ Build a cross-functional team that includes data stewards, compliance analysts and developers.

2 \ Specify company policies.

3 \ Assess existing resources.

4 \ Catalog and classify data.

5 \ Outline specific compliance requirements – policy mapped to data.

6 \ Define and implement solutions.

To learn more about how our Security, Privacy and Compliance practice can help you prepare for CPRA, safeguard your systems, reputation and preserve customer trust, contact us today.