Skip to main content

e-Alert: California Privacy Rights Act: Creating and Posting a Privacy Policy for HR Data

By September 15, 2022No Comments


The California Privacy Rights Act (CPRA) defines data sharing as disclosing personal data to third parties for behavioral advertising. The November 2020 California general election brought major changes to the State’s privacy regime that will require substantial compliance efforts by covered businesses over the next 12-24 months. The new CPRA was approved by voters in the November general election and officially became law on December 16, 2020, five days after election results were certified. The CPRA substantially amends and amplifies the requirements of the law’s predecessor, the California Consumer Privacy Act (CCPA).


Effective January 1, 2023, the CPRA will require employers to comply with two types of notice requirements. The first requirement is the notice at collection, which HRK outlined in a previous e-Alert. The second notice requirement is a privacy policy that details the handling of HR data and must be posted online or on the employer’s website.

The CCPA previously exempted the data of employees, applicants, independent contractors, dependents, and other HR individuals from the majority of its requirements. However, the CPRA sunsets this exemption of HR data and imposes new obligations for handling personal information to include a privacy policy.

The privacy policy must disclose the following information:

  • Personal information collected by the employer during the preceding 12 months;
  • Sources from which the personal information is collected;
  • The business or commercial purposes for collecting, selling, or sharing that personal information;
  • Third parties to which personal information is disclosed;
  • The categories of personal information sold or shared for purposes of cross-context behavioral advertising in the preceding 12 months;
  • Personal information disclosed for a business purpose in the preceding 12 months; and
  • The individual’s CPRA rights and how to exercise those rights, which includes a toll-free telephone number and at least one other method for submitting requests.

While this list may look familiar to the requirements of the notice at collection, there a several important differentiations:

  1. The privacy policy is retrospective and provides details regarding the employer’s information handling during the prior 12 months. The notice at collection is prospective.
  2. The notice at collection may include the personal information being collected at the time of notice, whereas the privacy policy is an inclusive document that will itemize how the information is handled
  3. The privacy policy is not required to include information about data retention.

Opt-Out Options

Typically, employers do not sell or share HR data with third parties in exchange for monetary consideration or advertising purposes. For such employers, the privacy policy should include a conspicuous statement disclosing they have not sold or shared personal information in the prior 12 months. For employers that do share or sell such personal information, a link should be included on the privacy policy where the individual may opt out. Furthermore, if the employer infers characteristics from sensitive personal data and uses or discloses the information beyond operational purposes outlined by the CPRA, the privacy policy must include a notice and provide individuals the option to opt out.

Distribution of the Privacy Policy

The law requires employers to post the privacy policy:

  1. In the company’s online privacy policy and any California-specific description of an individual’s privacy rights (i.e.: in combination with the notice at collection); or
  2. On its internet website
    • Note: The CPRA does not currently define “online,” therefore it could be assumed that an organization’s intranet is acceptable. Keep in mind that applicants would not have access to an employer’s intranet. If using this approach, a separate privacy policy would need to be posted on a career/job posting website or similar forum.

Updates and Maintenance of the Privacy Policy

The privacy policy must be updated annually and “at least once every 12 months.” Employers may create and maintain an annual review process to ensure changes in the company’s data handling practices are updated for any material change.

Employer Next Steps

  • Continue to monitor final regulations, which will be issued by California’s Attorney General’s Office.
  • Because the CPRA privacy policy published on January 1, 2023, will need to include data handling as of January 1, 2022, employers should begin and continue tracking how they process personal data as of January 1, 2022.
  • Assess whether to separate or combine privacy policies and establish regular reviews of the process and related documentation.
  • If you are a Full-Service or Virtual HR client and have questions about this e-Alert, please email us.
The People Simplifying HR

For almost twenty years, HR Knowledge has made it our mission to demystify the complex and daunting process of HR management. We do more than just provide the level of service and technology you’d expect from an industry leader. We combine an unparalleled passion for service with our decades of HR, payroll, and benefits experience to provide our clients with personalized and actionable advice that is second–to–none. From managed payroll to employee benefits to HR support, we can help your organization thrive, grow, and reduce operating costs—no matter what industry you serve. Whether you’re interested in our Full-Service solution or just need your employee handbook written, HR Knowledge can help you minimize risk while staying on top of compliance regulations. The bottom line? We’re not just another cloud-based technology company that also does HR, #WeAreHR. Get the scoop on how we can help you simplify HR.

This content is provided with the understanding that HR Knowledge is not rendering legal advice. While every effort is made to provide current information, the law changes regularly and laws may vary depending on the state or municipality. The material is made available for informational purposes only and is not a substitute for legal advice or your professional judgment. You should review applicable laws in your jurisdiction and consult experienced counsel for legal advice. If you have any questions regarding this content, please contact HR Knowledge at 508.339.1300 or email us.