Skip to main content
  • Foundation
  • Executive network
  • CEO Circle
  • Enterprise Solutions
  • Linkage Logo
  • Store
  • Sign In
  • Account
    • My Account
    • Logout
    • Global
    • India
    • MENA
SHRM
About
Book a Speaker
Join Today
Renew
Rejoin Now
Renew
  • Membership
  • Certification
    Certification

    Smiling asian student studying in library with laptop books doing online research for coursework, making notes for essay homework assignment, online education e-learning concept
    Get Certified!

    Be recognized as an HR leader with your SHRM-CP or SHRM-SCP credential.

    • How to Get Certified

      Demonstrate your ability to apply HR principles to real-life situations. No other HR certification compares.

      • How to Get Certified
      • Eligibility Criteria
      • Exam Details and Fees
      • SHRM-CP
      • SHRM-SCP
      • Which Certification is Best for Me
      • Certification FAQs
    • Prepare for the Exam

      Give yourself the best chance to pass your SHRM certification exam.

      • Exam Preparation
      • SHRM BASK
      • SHRM Learning System
      • Instructor-Led Learning
      • Self-Study
      • Study Aids & Add-ons
    • Recertification

      Recertify your SHRM Credentials before your end date!

      • Specialty Credentials
      • Qualifications
  • Topics & Tools
    Topics & Tools

    Stay up to date with workplace news and leverage our vast library of resources to streamline day-to-day HR tasks.

    The white house in washington, dc.
    Executive Order Impact Zone

    Do not abandon, but evaluate and evolve. It is about legal, equal opportunity for all.

    • News & Trends

      Follow breaking news and emerging workplace trends.

      Legal & Compliance

      Stay informed on workplace legal updates and their impacts.

      From the Workplace

      Explore diverse perspectives from your peers on today's workplaces.

      Flagships

      Get curated collections of podcasts, videos, articles, and more produced by SHRM.

    • HR Topics
      • AI in the Workplace
      • Civility at Work
      • Compensation & Benefits
      • Inclusion & Diversity
      • Talent Acquisition
      • Workplace Technology
      • Workplace Violence Prevention
      SEE ALL
      SHRM Research
    • Tools & Samples

      Access member resources and tools to streamline HR tasks.

      • Forms & Checklists
      • How-To Guides
      • Interactive Tools
      • Job Descriptions
      • Policies
      • Toolkits
      SEE ALL
      Ask an Advisor
  • Events & Education
    Events & Education

    SHRM25 in San Diego, June 29 - July 2, 2025
    Join us for SHRM25 in San Diego

    Register for the World’s Largest HR Conference being held on June 29 - July 2, 2025

    • Events
      • SHRM25
      • The AI+HI Project 2025
      • INCLUSION 2025
      • Talent 2026
      • Linkage Institute 2025
      SEE ALL
      Webinars
    • Educational Programs

      Designed and delivered by HR experts to empower you with the knowledge and tools you need to drive lasting change in the workplace.

      Specialty Credentials

      Demonstrate targeted competence and enhance credibility among peers and employers.

      Qualifications

      Gain a deeper understanding and develop critical skills.

    • Team Training & Development

      Customized training programs unique to your organization’s needs.

  • Business Solutions
  • Advocacy
    Advocacy

    Make your voice heard on public policy issues impacting the workplace.

    Advocacy
    SHRM's President & CEO testifies to Congress on "The State of American Education"
    • Policy Areas
      • Workforce Development
      • Workplace Inclusion
      • Workplace Flexibility & Leave
      • Workplace Governance
      • Workplace Health Care
      • Workplace Immigration
      State Affairs

      SHRM advances policy solutions in state legislatures nationwide.

      Global Policy

      SHRM is the go-to for global HR leaders and businesses on workplace matters.

    • Advocacy Team (A-Team)

      SHRM’s A-Team is a key member benefit, giving you the tools, insights, and opportunities to shape workplace policy and drive real impact.

      Take Action

      Urge lawmakers to support policies that create lasting, positive change.

      Advocacy & Legislative Resources

      Access SHRM’s curated policy materials and content.

    • SHRM-Led Coalitions
      • Generation Cares
      • The Section 127 Coalition
      • Learn More & Partner with SHRM Government Affairs
  • Community
    Community

    Woman raising hand in group
    Find a SHRM Chapter

    Easily find a local professional or student chapter in your area.

    • Chapters

      Find local connections from over 607 chapters and state councils and create your personalized HR network.

      SHRM Connect

      Post polls, get crowdsourced answers to your questions and network with other HR professionals online.

      SHRM Northern California

      Join SHRM members in the greater San Francisco Bay area for local events and networking.

    • Membership Councils

      Learn about SHRM's five regional councils and the Membership Advisory Council (MAC).

      • Membership Advisory Council
      • Regional Councils
    • Volunteers

      Learn about volunteer opportunities with SHRM.

      • Volunteer Leader Resource Center
Close
  • Membership
  • Certification
    back
    Certification
    Smiling asian student studying in library with laptop books doing online research for coursework, making notes for essay homework assignment, online education e-learning concept
    Get Certified!

    Be recognized as an HR leader with your SHRM-CP or SHRM-SCP credential.

    • How to Get Certified

      Demonstrate your ability to apply HR principles to real-life situations. No other HR certification compares.

      • How to Get Certified
      • Eligibility Criteria
      • Exam Details and Fees
      • SHRM-CP
      • SHRM-SCP
      • Which Certification is Best for Me
      • Certification FAQs
    • Prepare for the Exam

      Give yourself the best chance to pass your SHRM certification exam.

      • Exam Preparation
      • SHRM BASK
      • SHRM Learning System
      • Instructor-Led Learning
      • Self-Study
      • Study Aids & Add-ons
    • Recertification

      Recertify your SHRM Credentials before your end date!

      • Specialty Credentials
      • Qualifications
  • Topics & Tools
    back
    Topics & Tools

    Stay up to date with workplace news and leverage our vast library of resources to streamline day-to-day HR tasks.

    The white house in washington, dc.
    Executive Order Impact Zone

    Do not abandon, but evaluate and evolve. It is about legal, equal opportunity for all.

    • News & Trends

      Follow breaking news and emerging workplace trends.

      Legal & Compliance

      Stay informed on workplace legal updates and their impacts.

      From the Workplace

      Explore diverse perspectives from your peers on today's workplaces.

      Flagships

      Get curated collections of podcasts, videos, articles, and more produced by SHRM.

    • HR Topics
      • AI in the Workplace
      • Civility at Work
      • Compensation & Benefits
      • Inclusion & Diversity
      • Talent Acquisition
      • Workplace Technology
      • Workplace Violence Prevention
      SEE ALL
      SHRM Research
    • Tools & Samples

      Access member resources and tools to streamline HR tasks.

      • Forms & Checklists
      • How-To Guides
      • Interactive Tools
      • Job Descriptions
      • Policies
      • Toolkits
      SEE ALL
      Ask an Advisor
  • Events & Education
    back
    Events & Education
    SHRM25 in San Diego, June 29 - July 2, 2025
    Join us for SHRM25 in San Diego

    Register for the World’s Largest HR Conference being held on June 29 - July 2, 2025

    • Events
      • SHRM25
      • The AI+HI Project 2025
      • INCLUSION 2025
      • Talent 2026
      • Linkage Institute 2025
      SEE ALL
      Webinars
    • Educational Programs

      Designed and delivered by HR experts to empower you with the knowledge and tools you need to drive lasting change in the workplace.

      Specialty Credentials

      Demonstrate targeted competence and enhance credibility among peers and employers.

      Qualifications

      Gain a deeper understanding and develop critical skills.

    • Team Training & Development

      Customized training programs unique to your organization’s needs.

  • Business Solutions
  • Advocacy
    back
    Advocacy

    Make your voice heard on public policy issues impacting the workplace.

    Advocacy
    SHRM's President & CEO testifies to Congress on "The State of American Education"
    • Policy Areas
      • Workforce Development
      • Workplace Inclusion
      • Workplace Flexibility & Leave
      • Workplace Governance
      • Workplace Health Care
      • Workplace Immigration
      State Affairs

      SHRM advances policy solutions in state legislatures nationwide.

      Global Policy

      SHRM is the go-to for global HR leaders and businesses on workplace matters.

    • Advocacy Team (A-Team)

      SHRM’s A-Team is a key member benefit, giving you the tools, insights, and opportunities to shape workplace policy and drive real impact.

      Take Action

      Urge lawmakers to support policies that create lasting, positive change.

      Advocacy & Legislative Resources

      Access SHRM’s curated policy materials and content.

    • SHRM-Led Coalitions
      • Generation Cares
      • The Section 127 Coalition
      • Learn More & Partner with SHRM Government Affairs
  • Community
    back
    Community
    Woman raising hand in group
    Find a SHRM Chapter

    Easily find a local professional or student chapter in your area.

    • Chapters

      Find local connections from over 607 chapters and state councils and create your personalized HR network.

      SHRM Connect

      Post polls, get crowdsourced answers to your questions and network with other HR professionals online.

      SHRM Northern California

      Join SHRM members in the greater San Francisco Bay area for local events and networking.

    • Membership Councils

      Learn about SHRM's five regional councils and the Membership Advisory Council (MAC).

      • Membership Advisory Council
      • Regional Councils
    • Volunteers

      Learn about volunteer opportunities with SHRM.

      • Volunteer Leader Resource Center
Join Today
Renew
Rejoin Now
Renew
  • Store
    • Global
    • India
    • MENA
  • About
  • Book a Speaker
  • Foundation
  • Executive network
  • CEO Circle
  • Enterprise Solutions
  • Linkage Logo
SHRM
Sign In
  • Account
    • My Account
    • Logout
Close

  1. Topics & Tools
  2. Employment Law & Compliance
  3. Final Regs Clear Path for Employers to Complete CPRA Compliance
Share
  • Linked In
  • Facebook
  • Twitter
  • Email

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.


Error message details.

Copy button
Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.


Learn More
News

Final Regs Clear Path for Employers to Complete CPRA Compliance

June 21, 2023 | Kwabena Appenteng, Zoe Argento, Philip Gordon, and Denise Tran-Nguyen © Littler

An image of a padlock on a circuit board.


​After months of uncertainty, the rulemaking process for the California Privacy Rights Act (CPRA), the first-ever comprehensive U.S. data privacy law applicable to HR data, concluded on March 29.

California employers can put the finishing touches on required notices and policies, distribute them, and take the other steps necessary to implement their compliance program.

Under the prior law, the California Consumer Privacy Act (CCPA), HR data was excluded except that California employers were required to provide applicants and employees in California with a brief notice at collection. 

Once the CPRA, which amends and supersedes the CCPA, went into effect on Jan. 1, this near-total exemption for HR data was eliminated. Employers must post an online privacy policy, ensure that contracts with service providers contain statutorily mandated language, and establish procedures so that applicants, employees and their dependents can exercise their new data rights.

The CPRA established a six-month grace period on administrative enforcement through June 30. The CPRA does not allow for a private right of action. Consequently, employers can put their compliance efforts into high gear without fear of litigation.

Given the overlapping disclosure requirements, many employers may wish to combine the notice at collection and privacy policy into one document. The final CPRA regulations confirm that combining the two notices is permissible, so long as the individual is directed to the specific section of the privacy policy that includes the information that must be included in the notice at collection.

To the extent the California Employer distributes a standalone notice at collection, the final regulations require that the notice at collection include a link to the business's privacy policy.

The final CPRA regulations depart from the statute with respect to the requirements for disclosures of personal information to external recipients. The statute requires disclosure of the categories of third parties to whom personal information is disclosed for any purpose, but the CPRA regulations require such disclosures made only for a "business purpose."

The final regulations also require that businesses include the following additional information points in the privacy policy, which are not specifically stated in the statute:

  • Under the final regulations, the privacy policy must include a statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age.
  • The privacy policy must provide information on how an individual can implement opt-out preference signals, as well as an explanation of how opt-out preference signals will be processed. Opt-out preference signals will rarely apply in the employment context because employers generally do not "sell" or "share" personal information of HR Individuals.
  • The privacy policy must include instructions on how an individual's authorized agent can make a request under the CPRA.
  • The statute specifies that the privacy policy must include a description of an individual's rights under the CPRA and how to exercise those rights. The regulations add the requirement that the privacy policy include a general description of how the business will verify the individual's request. The privacy policy should explain that the employer will match identifying information provided by the individual to the personal information of the individual already maintained by the employer.
  • The privacy policy must include a contact for questions or concerns about the business's privacy policies and the date the privacy policy was last updated.

New Vendor Contracting Requirement

The CPRA lists nearly a dozen clauses that California employers must include in their agreements with vendors that handle employees' personal information.

The final CPRA regulations, for the most part, parrot the CPRA's list of contracting requirements. The regulations add to the list only two requirements related to purposes of use. First, the vendor agreement must identify the specific business purposes for which the vendor is permitted to handle personal information.  Second, the agreement must state that the personal information is being disclosed to the vendor only for the specified business purposes. 

Data Rights

With regard to data rights, the regulations eased a few significant burdens, added many new requirements, and clarified several issues. Individuals have:

  • The right to delete personal information.
  • The right to correct inaccurate personal information.
  • The right to know, which encompasses (a) the right to a disclosure about how the business collects, uses, and discloses the requestor's personal information and (b) the right to access the specific pieces of personal information obtained by the business.
  • The right to opt out of sales of personal information.
  • The right to opt out of sharing of personal information, meaning disclosure of personal information to third parties for behavioral advertising.
  • The right to limit the use and disclosure of sensitive personal information.

First, the regulations add new notification and disclosure requirements to the process of responding to data rights requests.

The most substantial new disclosure requirement in the regulations obliges the business to explain the basis for denial when rejecting a right to know, delete, or correct. If the employer refuses to provide information in response to a request to know beyond the 12-month lookback period, the regulations require the employer to provide "a detailed explanation that includes enough facts to give [an individual] a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period."

The regulations also add a significant new timed notice requirement. The statute just requires that businesses respond to requests to know, correct, and delete within 45 days of receiving the request, with an option to extend the response period with notice and if "reasonably necessary." The regulations also require that the company confirm receipt of a request to know, delete, or correct within 10 business days of receiving the request.

Employers will have a continuing obligation regarding the accuracy of personal information amended in response to a request to correct. Under the regulations, whether the business has "implemented measures" to keep such personal information accurate "factors into" whether the business has "adequately complied with a … request to correct."

The regulations craft a new requirement for all such companies to comply with opt-out preference signals for sales and sharing of data. California Attorney General has signaled that he interprets the definition of "sale" very broadly. Some website cookies that make website visitor information available to third parties for analytics and advertising potentially could be construed as selling or sharing personal information. Employers' applicant web pages may use cookies that disclose data about applicants to third parties. HR and legal departments should work with their website managers to consider these issues.

The final regulations clarify that sensitive personal information "that is collected or processed without the purpose of inferring characteristics about [a California resident] is not subject to requests to limit."  Although employers collect substantial amounts of sensitive personal information, they typically do not use it to infer characteristics about an individual. As a result, the right to limit sensitive personal information generally will not apply to HR data.

The regulations lightened the load of complying with data rights requests in three key ways. The final regulations retained the exception to the right to know for relatively inaccessible personal information.  An employer need not comply with a request to know if the employer:

  • Does not maintain the personal information in a searchable or reasonably accessible format.
  • Maintains the personal information solely for legal or compliance purposes.
  • Does not sell the personal information and does not use it for any commercial purpose.

The regulations limit the right to know in another significant manner by prohibiting employers from producing certain highly sensitive personal information in response to a request for specific pieces of personal information. The final rules do not allow employers to disclose items including Social Security numbers, login credentials, and health insurance numbers. This reduces a major risk for employers, which could be faulted for disclosing this information in response to a spoofed request or through some form of insecure means. Although businesses must verify the identity of the requesting individual, inevitably some bad actors may infiltrate the authentication process.

Employers need not delete or correct personal information on archived or back-up systems within the 45-day deadline. Instead, they can delete or correct the data when it is next accessed, used, or restored to an active system.

Employers must be mindful when collecting HR data, including new categories of personal information collected with consent. The collection should be limited to the "minimum necessary" to achieve the purpose for collection. From a practical standpoint, the purpose limitation within the CPRA regulations puts the onus on employers to consider two points:

  • Employers must ensure that they consider all of the purposes for which HR data may be used.
  • When new technology or systems are introduced into the workplace to process or store HR data, employers should have a process in place to assess whether the system's use of the personal information falls within the purview of a purpose identified within the notice at collection.

If the California authorities follow an enforcement strategy similar to their approach to the CCPA, the CPRA's predecessor law, they may just issue warnings and guidance for a year or so before pursuing fines and penalties. Nevertheless, employers should take advantage of the remaining window to finalize and post their privacy notices, execute their remaining vendor agreements, and ensure that their policies and procedures support their compliance with this demanding new law.

Kwabena Appenteng, Zoe Argento, Philip Gordon, and Denise Tran-Nguyen are attorneys with Littler. ©2023. All rights reserved. Reprinted with permission.

Data Security
Employee Data Privacy
Employment Law & Compliance
Risk Management
Workplace Security

Artificial Intelligence in the Workplace

​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.



Related Content

Kelly Dobbs Bunting speaks onstage at SHRM24
(opens in a new tab)
News
Why AI+HI Is Essential to Compliance

HR must always include human intelligence and oversight of AI in decision-making in hiring and firing, a legal expert said at SHRM24. She added that HR can ensure compliance by meeting the strictest AI standards, which will be in Colorado’s upcoming AI law.

(opens in a new tab)
News
A 4-Day Workweek? AI-Fueled Efficiencies Could Make It Happen

The proliferation of artificial intelligence in the workplace, and the ensuing expected increase in productivity and efficiency, could help usher in the four-day workweek, some experts predict.

(opens in a new tab)
News
How One Company Uses Digital Tools to Boost Employee Well-Being

Learn how Marsh McLennan successfully boosts staff well-being with digital tools, improving productivity and work satisfaction for more than 20,000 employees.

Workplace Compliance Newsletter

Summaries of legal decisions, legislative news and regulatory news, delivered Friday afternoons.

Success title

Success caption

Manage Subscriptions
  • About SHRM
  • Careers at SHRM
  • Press Room
  • Contact SHRM India
  • Book a SHRM Executive Speaker
  • Advertise with Us
  • Copyright & Permissions
  • Post a Job
  • Find an HR Job
Contact Us

SHRM India Corporate Information
Email: shrmindia@shrm.org
Phone: (1)800.103.2198
WhatsApp: +919810503727

Follow Us
  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • SHRM Newsletters
  • Ask An Advisor

© 2025 SHRM. All Rights Reserved

SHRM provides content as a service to its readers and members. It does not offer legal advice, and cannot guarantee the accuracy or suitability of its content for a particular purpose. Disclaimer


  1. Privacy Policy

  2. Terms of Use

  3. Accessibility

Join SHRM for Exclusive Access to Member Content

SHRM Members enjoy unlimited access to articles and exclusive member resources.

Already a member?
Free Article
Limit Reached

Get unlimited access to articles and member-exclusive resources.

You've reached the limit of 1 free article this month. Join to access unlimited articles and member-only resources.

Already a member?
Free Article
Exclusive Executive-Level Content

This content is for the SHRM Executive Network and Executive Content Subscription members only.

You've reached the limit of 1 free article this month. Join the Executive Network and enjoy unlimited content.

Already a member?
Free Article
Exclusive Executive-Level Content

This content is for the SHRM Executive Network and Executive Content Subscription members only.

You've reached the limit of 1 free article this month. Join and enjoy unlimited access to SHRM Executive Network Content.

Already a member?
Unlock Your Career with SHRM Membership

Please enjoy this free resource! Join SHRM for unlimited access to exclusive articles and tools.

Already a member?

Your membership is almost expired! Renew today for unlimited access to member content.

Renew now

Your membership has expired. Renew today for unlimited access to member content.

Renew Now

Your Executive Network membership is nearing its expiration. Renew now to maintain access.

Renew Now

Your membership has expired. Renew your Executive Network benefits today.

Renew Now