CPRA extended full privacy rights to California employees, contractors, and job applicants on January 1, 2023. HR teams at covered organizations face mandatory data inventories, rights-request workflows, and purpose-limitation rules that mirror consumer privacy obligations. These seven steps operationalize that compliance without requiring a legal team to run every decision.

The California Privacy Rights Act closed the exemption that kept employee data outside CCPA’s reach. Every piece of sensitive personal information in your HR systems — health data, biometrics, financial account numbers, SSNs, performance records, geolocation data — is now subject to the same regulatory framework as consumer data. Civil penalties run $2,500 per unintentional violation and $7,500 per intentional violation, per incident. For an organization with hundreds of California employees, systemic gaps compound fast.

These seven steps follow the sequence that matters. Each one builds on the last. Skipping steps creates structural gaps that a rights request or enforcement action will expose.

Before You Start: Prerequisites and Risk Assessment

Allocate these resources before beginning:

• Time: Initial inventory and mapping requires 40–80 hours depending on HR tech stack complexity. Workflow build-out adds another 20–40 hours. Full operationalization takes 3–6 months.
• Team: You need HR leadership, IT/systems administration, legal counsel familiar with California privacy law, and a project owner who coordinates across all three.
• Systems access: Pull admin credentials and data schema documentation for every system that touches employee data — HRIS, ATS, payroll, benefits administration, background check providers, learning management, time and attendance.
• Legal baseline: Confirm whether your organization meets CPRA’s applicability thresholds: gross annual revenue exceeding $25 million; annual buying/selling/receiving of personal information from 100,000+ consumers or households; or deriving 50%+ of annual revenue from selling personal information. If yes, you are covered. Confirm edge cases with counsel.
• Risk posture: Civil penalties run $2,500 per unintentional violation and $7,500 per intentional violation, per incident. Systemic violations across a California workforce compound fast.

Step 1 — Conduct an HR Data Inventory

You cannot comply with a law governing data you don’t know you have. A complete HR data inventory is the structural foundation of every subsequent step.

For each HR system in your tech stack, document:

• Data categories collected: Name, address, SSN, financial account information, health data, biometrics, performance ratings, communications content, geolocation (for remote work monitoring or field employees), union membership.
• Collection source: Employee self-service, manager input, third-party background check, payroll processor, benefits enrollment platform, recruiting ATS.
• Business purpose: Why is each category collected? Payroll processing, benefits administration, legal compliance, performance management, workforce analytics.
• Data flows: Which internal teams access the data? Which external vendors or service providers receive it? In what format and via what integration — API, file transfer, direct database access?
• Retention period: How long is the data kept? Is there a documented policy or a de facto practice?
• Legal basis: What justifies collection and use — employment necessity, legal obligation, or consent?

The output is a data map: a living document that shows where every category of employee personal information lives, flows, and ends. This map drives Steps 2 through 7. Treat it as operational infrastructure, not a one-time audit artifact.

Step 2 — Categorize Sensitive Personal Information

CPRA creates a distinct higher-protection class called Sensitive Personal Information (SPI). HR holds most of it. SPI in an HR context includes:

• Social Security numbers, driver’s license numbers, and state identification card numbers
• Financial account information — direct deposit routing numbers and account numbers
• Precise geolocation data
• Racial or ethnic origin, religious beliefs, and union membership
• Contents of employee communications not directed to the business
• Genetic data and biometric information processed for identification
• Health information
• Information concerning sexual orientation or sex life

SPI carries additional obligations beyond standard personal information. Employees have the right to limit the use and disclosure of SPI to what is necessary for the disclosed collection purpose. That right-to-limit obligation requires you to know — and enforce — purpose boundaries in your systems and vendor contracts.

Mark every SPI category in your data map from Step 1 with a distinct flag. These fields drive the access controls, contracts, and retention rules built in subsequent steps.

Step 3 — Update Privacy Notices and Rights Disclosures

CPRA requires covered employers to notify California employees, job applicants, and contractors of their privacy rights at or before the point of collection. The notice must disclose:

• Categories of personal information and SPI collected
• Purposes for which each category is used
• How long each category is retained, or the criteria used to determine retention
• Whether any category is sold or shared, and to whom
• Each privacy right the individual holds and how to exercise it

Separate notices are required for the employee context and the job applicant context. A single employee handbook addendum covering both groups is not sufficient when the data categories or business purposes differ.

Distribute updated notices before any data collection occurs. For existing employees, provide updated notices as part of a documented communication — email with acknowledgment, policy portal with date-stamped acceptance, or equivalent. Retain proof of distribution.

Notices must be written in plain language accessible to the average reader. Legal density defeats the disclosure purpose and provides no enforcement protection.

Step 4 — Build a Rights-Request Intake and Response Workflow

California employees hold five enforceable rights under CPRA: the right to know, right to delete, right to correct, right to limit use of SPI, and right to opt out of sale or sharing. Each requires a defined intake and response process before a request arrives — not after.

Build a workflow that handles:

• Intake: A designated submission channel — form, email address, or portal — that captures request type, requester identity, and date received. One channel for all request types reduces routing errors.
• Identity verification: CPRA requires verification before disclosure or deletion. Define your verification standard — government ID match, account login confirmation, or email verification — and document it. Verification must be proportionate to the sensitivity of the data being accessed.
• Response timeline: 45 days to respond to a verified request, with a one-time 45-day extension (with notice) when reasonably necessary. Build your workflow around the initial 45-day deadline, not the extension.
• Cross-system execution: Rights requests span every system in your data map. Fulfilling a deletion request means executing deletion across HRIS, payroll, ATS, benefits platforms, and every vendor that received the individual’s data. Document the execution steps for each system.
• Exemptions: Some data must be retained regardless of a deletion request — data necessary to complete a transaction, data required by law (I-9, payroll tax records), data used to detect security incidents. Document exemptions explicitly so you can explain them to a requester.
• Response documentation: Retain records of every request received, the verification outcome, the response provided, and the execution steps taken. This is your audit trail for enforcement.

Automating this workflow with Make.com reduces manual coordination errors and creates a timestamped audit trail by default. A Make.com scenario can route incoming requests by type, trigger verification prompts, send requester status updates, and log each step to a central record — without requiring HR to manually track 45-day deadlines across a spreadsheet. See how Make.com changes automation work for HR teams for a technical walkthrough of what this looks like in practice.

Step 5 — Audit and Update Vendor Contracts

Every third-party vendor that processes California employee personal information on your behalf is a service provider under CPRA. The law requires written contracts that restrict how service providers use employee data, prohibit them from selling or sharing it, and require them to assist with rights requests.

For each vendor in your data map:

• Confirm contract status: Does a current Data Processing Agreement or equivalent exist? When was it last updated?
• Verify required clauses: CPRA-compliant service provider contracts must prohibit use of personal information for any purpose other than the contracted service, prohibit sale or sharing, require notification of subprocessors, require assistance with rights requests and audits, and require deletion or return of data at contract termination.
• Address SPI separately: If a vendor receives SPI — health data, biometrics, financial account information — the contract must explicitly address purpose limitation for those SPI categories.
• Flag gaps: Any vendor without a compliant contract is a CPRA liability. Prioritize remediation by data sensitivity — vendors receiving SPI first, then vendors receiving standard personal information.

Document every contract review, the gaps identified, and the remediation action taken. This documentation demonstrates good-faith compliance efforts during enforcement review.

Step 6 — Establish and Enforce Retention Schedules

CPRA prohibits retaining personal information longer than is necessary for the disclosed purpose. For HR, that means a documented retention schedule for every data category — not a blanket policy that retains everything for seven years.

Build retention rules by category:

• Active employment records: Duration of employment plus statutory minimums for each record type. I-9: 3 years from hire or 1 year from termination, whichever is later. Payroll tax records: 4 years per IRS requirements. FLSA records: 3 years.
• Applicant records: EEOC recommends one year from date of personnel action. OFCCP requires two years for federal contractors.
• Benefits and health data: HIPAA plan documents: 6 years. ERISA: 6 years. Medical records for ADA accommodation: duration of employment plus 3 years.
• Background check data: FCRA limits re-use. Retain only for the duration required for the hiring decision; delete promptly after.
• Performance and disciplinary records: Define by business policy — document the policy and enforce it in your HRIS configuration.

Retention schedules mean nothing without enforcement. Configure auto-deletion or auto-archival in each HR system where possible. Where automation is not available, build a manual review calendar. See 9 HRIS configuration defaults every small HR team should change for common system-level gaps that create unintended retention.

Step 7 — Test, Document, and Maintain the Program

CPRA compliance is not a project with an end date. It is an operational program with ongoing obligations. Step 7 turns the work from Steps 1 through 6 into a sustainable process.

Run an initial dry-run rights request. Before you receive a real request, simulate one. Pick a test employee record and execute a rights-request workflow end to end: intake, verification, data map lookup, cross-system query, response drafting, and execution. Document every gap the dry run reveals and close it before go-live.

Establish a program review cadence. At minimum, review the data map, retention schedules, and vendor contracts annually. Review immediately when a new HR system is added, a new vendor relationship begins, a data category changes, or the California Privacy Protection Agency issues new CPRA regulations.

Train HR and people managers. Employees exercise rights through HR. Managers field questions in the field. Both groups need to know: what rights exist, how to route a request, and what not to say. Train before go-live and re-train annually.

Maintain documentation as evidence. The California Privacy Protection Agency (CPPA) can demand records of compliance efforts. Your data map, rights-request logs, vendor contract reviews, training records, and retention policy documentation are your evidence set. Store them in a location HR leadership and legal can access.

HR teams that inherited broken operations alongside this compliance obligation need to stabilize the foundation before building programs on top of it. See what HR triage risk mapping looks like in practice before layering compliance workflows onto an operation that hasn’t been audited.

Frequently Asked Questions

Does CPRA apply to small employers?

CPRA applies to for-profit businesses that meet at least one of three thresholds: gross annual revenue exceeding $25 million, annual buying/selling/sharing of personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling personal information. Businesses below all three thresholds are not covered — but confirm with legal counsel, since some California state law obligations still apply.

Are HR rights requests different from consumer rights requests?

The rights are the same — know, delete, correct, limit SPI use, and opt out of sale or sharing — but the exemptions differ. Employment law creates carve-outs that don’t apply to consumer data: retention of records required by law, data necessary to administer benefits, records needed for legal claims. HR rights requests require legal review of applicable exemptions before response.

What is the response deadline for a CPRA rights request?

45 days from receipt of a verified request. One 45-day extension is permitted when reasonably necessary, with notice to the requester provided within the initial 45-day window. Build your workflow to the 45-day deadline. Extensions exist for genuine operational complexity, not as a default buffer.

Does CPRA require consent to collect employee data?

No. CPRA does not require employee consent to collect personal information necessary for employment. The legal basis is employment necessity, not consent. Consent is only required for purposes outside the scope of the disclosed collection purpose, or for specific SPI categories where purpose limitation applies.

What happens if a vendor refuses to sign a CPRA-compliant contract?

A vendor that refuses to execute a compliant Data Processing Agreement is a CPRA liability. The covered business bears enforcement exposure for the vendor’s processing of employee data. Document the refusal, escalate to legal, and evaluate whether the relationship can continue. Most major HR vendors have compliant DPA templates available on request.