California “Employee” Data Privacy Requests: Far from easy

By Ethos Privacy

Do you have employees or contractors in California? If you do, you may have obligations under CPRA that become real on January 1, 2023.  

Additional questions to help gauge if your organization is at risk include:   

  • Did you have annual gross revenue above $25 million last year? 
  • Did you collect, store, analyze, disclose, or otherwise ‘use’ the personal information of 100K or more California residents? 
  • Do you get at least 50 percent of your annual revenue from selling (or disclosing to a third party for consideration) or sharing (disclosing to a third party for targeted advertising) the personal information of California residents? 


Answering “yes” to at least one of these may mean you need to pay attention to the upcoming deadline. With this relatively low gross annual revenue threshold, even smaller businesses may fall within the scope of the CPRA if they have California employees. Businesses alleged to have violated the CPRA will have 30 days as a ‘cure’ period to avoid penalties of up to $7500 violation. Additionally, the California Attorney General has established a practice of making examples of companies who failed to comply with the new privacy rules.  

Considering the definitions of “employee” and “personal information” are intentionally broad, the penalties and brand damage could be significant.  

It’s not just names and emails addresses but also anything that can be used to identify or track someone, such as an IP address, metadata, photos, audio, and video recordings, professional and employment information, and so forth. This legislation defines job applications, employee personnel records, and employee communications as “personal information” under the CPRA. If you’ve collected and stored information about job applicants, employees, owners, directors, officers, medical staff members, or independent contractors in the context of that person’s role, then you have PI in scope. Even your employees’ emergency contacts and beneficiaries fall under the CPRA and can submit data privacy requests. 

Don’t let January 1 creep up on you. Watch this informative webinar listing all the “gotchas” and Ethos Privacy is here to help you prepare.  

Get started today

Ensuring digital security and compliance for your future.