This is the fifth in a series of articles on the implications of the California Privacy Rights Act for employers..
- the categories of personal information collected by the employer in the previous 12 months;
- the categories of sources from which the personal information is collected;
- the business or commercial purposes for collecting, selling or sharing that personal information;
- the categories of third parties to whom the personal information is disclosed;
- the categories of personal information sold or shared for cross-context behavioral advertising purposes in the previous 12 months;
- the categories of personal information disclosed for business purposes in the previous 12 months; and
- the individual’s CPRA rights and how to exercise those rights, which includes, at a minimum, a toll-free telephone number and at least one other method for submitting rights requests.1
For more information on the rights of HR people, please see our previous articles explaining the data rights that HR people can exercise under the CPRA.2
Comparison with the notice to collection
Combination with collection notice
Combination with other privacy policies
1. Perform data mapping: The first step is often to map the relevant HR data. In other words, employers must determine the categories of personal information they collect from HR people, the sources of collection, the third parties to whom the personal data of employees is disclosed and the purposes for which this information is collected. This assessment will likely require coordination across multiple departments, stakeholders, and custodians to accurately report on the company’s information handling practices.