TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout


Employment rights and obligations related to human resources data are about to get messy in California. On Jan. 1, 2023, California will become the first state to have a comprehensive data privacy law covering human resources data when the California Privacy Rights Act becomes operational. This change will leave both employees and employers confused regarding the interplay between the CPRA and employment laws because most of the rights under the CPRA either are already addressed or do not make sense in the employment context.

Fortunately, there is still time for the California Privacy Protection Agency to align employment and privacy rights in the CPRA regulations by: (1) defining “professional or employment-related information” to mean an employee’s personnel file; (2) clarifying that the right to correct is limited to rectifying personal information that can be verified; and (3) ensuring the CPRA’s deletion right does not contradict legal retention obligations under employment laws.


With passage of the California Consumer Privacy Act and now the CPRA, California has spearheaded state-level comprehensive privacy legislation, with other states largely following in its footsteps. However, when the human resources exemption is phased out of the CPRA in 2023, other states will likely not follow suit. Colorado and Virginia chose to exclude human resources data from the scope of their privacy laws, along with proposed legislation (e.g., New York and North Carolina) not including human resources data within their purview.

It is no surprise these states chose not to include human resources data within their scope because most privacy rights are either already addressed under existing employment laws or do not apply in the employment context. In California, employees already have the right to access their payroll records, their employment agreements and broadly their personnel file.

Moreover, employment laws provide employees with rights similar to the CPRA’s rights to correct and not to be discriminated against. For example, under California law, an employer may not “discriminate, retaliate, or take any adverse action against an employee” if the employee decides to correct his or her data by updating or changing “name, Social Security number, or federal employment authorization document.” Job applicants may challenge an employer’s decision to deny employment that was erroneously based on a conviction history report. And as a general matter, it is an unlawful practice under California employment laws to discriminate against an employee for opposing any unpermitted practices or exercising his or her rights under the law.

Notably, other rights under the CPRA, such as the right to opt out of the sale or sharing of data and the right to limit the use of sensitive personal information, simply do not apply in the employment context. Employers do not sell employee data and do not track employees for targeted advertisements, so there is no need to opt out of selling or sharing. Likewise, sensitive personal information is collected solely for human resources functions and not for any other purpose, so there is no need to “limit” the use of such data.

In short, California has already adopted laws addressing employee data privacy rights. It is critical for the agency to avoid unravelling scrupulously drafted employment laws that balance data privacy and employment rights for the benefit of employees and employers alike.

Professional or employment-related information should be defined to mean the personnel file

The agency should clarify that “(p)rofessional or employment-related information” under the CPRA means an employee’s personnel file consistent with employees’ and employers’ understanding of the type of data they are generally entitled to receive and disclose in response to access requests. For clarity and consistency, the agency should consider providing examples of the type of data considered part of the personnel file based on guidance provided by the Division of Labor Standards Enforcement:

"Categories of records that are generally considered to be “personnel records” are those that are used or have been used to determine an employee’s qualifications for promotion, additional compensation, or disciplinary action, including termination. The following are some examples of “personnel records” (this list is not all inclusive):

  1. Application for employment
  2. Payroll authorization form
  3. Notices of commendation, warning, discipline, and/or termination
  4. Notices of layoff, leave of absence, and vacation
  5. Notices of wage attachment or garnishment
  6. Education and training notices and records
  7. Performance appraisals/reviews
  8. Attendance records"

Until Jan. 1, 2023, both employees and employers know what obligations and rights exist regarding employee data (e.g., access, retention, correction and non-discrimination), as described above. However, when the CPRA becomes operational, unless the agency closely aligns “professional or employment-related information” with existing employment laws, current clarity will disappear. For example, certain data generated during the course of employment, such as business emails, PowerPoint decks, data regarding the company’s intellectual property, financial spreadsheets, feedback submitted on behalf of other employees, etc., is not employee personal information — rather, it is “company data."

Extending CPRA rights to company data instead of limiting it to the personnel file could potentially reveal the personal information of other employees or contain company trade secrets and proprietary information, which fall outside the CPRA’s scope. Further, requiring an employer to disclose company data imposes significant constraints because the volume of data involved could be akin to an e-discovery request in litigation, which can often eclipse more than $100,000 in a single-plaintiff employment lawsuit. This increase on employers’ costs does little to benefit employees and could further drive businesses out of California.

Accordingly, to avoid creating such confusion and concerns for both employees and employers, the agency should define “professional or employment-related information” to mean the personnel file as defined by the Division of Labor Standards Enforcement.

The right to correct should be limited to information that can be verified

The CPRA regulations should clarify that correction rights are limited to data that can be verified through official documentation, such as correcting a name, an address or other data generally maintained under official government records. Anything subjective could raise concerns that employees fired for cause may ask an employer to correct their job performance records, change the grounds for termination or even delete or “correct” accusations of sexual harassment. There should not be a right to “correct” personnel records for matters of opinion until such issues are resolved by a judge or jury in a lawsuit.

This proposed clarification is in employers’ interest because they will have some basis for correcting an employee’s personal information if it is tied to verifiable documentation. Likewise, it is in employees’ best interests to clarify the correction right in such a manner because it will prevent abusive employees in the workplace from constantly modifying their work history to indicate that they are good supervisors or co-workers when they are not.

In sum, without clarifying the scope of the right to correct this way, workplace administration could be significantly disrupted for both employers and employees.

Employers' legal retention obligations when employees request to delete personal information

The agency should provide an example in the regulations to highlight employers’ legal obligation to retain personal information under employment laws and note this is a valid reason to deny a deletion request. California Labor Code § 1198.5 requires employers to maintain a copy of each employee’s personnel records for a period of no less than three years after termination of employment. Further, Equal Employment Opportunity Commission regulations, the Age Discrimination in Employment Act and the Fair Labor Standards Act also provide recordkeeping obligations ranging from one to three years.

In light of these legal record retention requirements, the right to delete could largely be superfluous, given employers would essentially have to deny such requests as a matter of law under California Civil Code § 1798.105(d)(8). The agency should consider including an example in the regulations to illustrate this as one scenario in which employers may lawfully deny deletion requests under the CPRA to avoid confusion in the workplace.


With California entering into uncharted territory, it is going to be critical for the agency to set an example for other states by carefully aligning CPRA regulations with existing employment laws. Unlike other data privacy issues that may trigger varying opinions along industry lines, the issues identified in this article address concerns across multiple industries, including retail, health care, finance and technology. There is still a chance to avoid confusion if the agency addresses the above issues in the regulations so both employers and employees are protected and have clarity regarding their rights and obligations under the CPRA.

Photo by LYCS Architecture on Unsplash

Implementing the CCPA: A Guide for Global Business

This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed.

Digital version

Top-10 operational impacts of the CPRA

This is a 10-part series intended to help privacy professionals understand the operational impacts of the California Privacy Rights Act, including how it amends the current rights and obligations established by the California Consumer Privacy Act.

Click to view

Credits: 1

Submit for CPEs

1 Comment

If you want to comment on this post, you need to login.

  • comment Valerie Franch • Mar 14, 2022
    While employers may not knowingly "sell" or "share" employee personal information, it is likely several companies monetize the data, use the information for a commercial purpose, and/or the exchange of data involves "valuable consideration." 
    Employment laws do not address the data sharing/selling use cases that will be addressed by the CPRA. Personal information, including sensitive personal information, is regularly shared with third parties for activities not strictly necessary to administer and maintain the employee/employer relationship. For example, optional benefit programs, fitness plans, profit-sharing plans, productivity apps, survey tools. In certain cases, it may be necessary to share the information to enable certain functionality in a tool/service, but this should not preclude employees’ data privacy rights (for example, a tool necessary for work that by default opts users into the sharing of their information for marketing and “personalized experiences.”) 
    There are companies that obtain commercial benefits from employee personal information shared with them by clients. Generally, in the U.S., employees do not have the right to opt out of these disclosures.  In the employment setting, there is an imbalance of power and employees often are not given a choice regarding the collection, use, and disclosure of personal information. To address the commercialization of employee personal information, the CPRA will require the inclusion of language in agreements with service providers and contractors that will restrict the parties from “retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified” and restrict the party from “selling” and/or “sharing” the data.
    I think the CPRA is moving in the right direction and working to give people a little more control regarding their personal information in the workplace, helping to limit the monetization of employee personal information in which individuals are not given a choice regarding their information, and helping to shine the light on data sharing/use cases in the employee context.