This article is for administrators.
Overview
The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and first took effect on January 1, 2020. The CCPA imposed regulations on businesses that collect individuals' data and was intended to give consumers the right to know what has been collected, the right to request the deletion of information, the right to opt out of sales of information, and the right to non-discrimination when exercising rights under the CCPA.
What Changed?
When originally enacted, the CCPA exempted Employee Data and Business-to-Business Data.
Following the enactment of the California Privacy Rights Act (CPRA), these exemptions were effective until January 1, 2023.
Employers who previously did not apply to the employer-employee relationship had to prepare to comply with privacy regulations.
Note: To provide additional time to make necessary adjustments, enforcement of CPRA did not begin until July 1, 2023, and applied only to violations on or after July 1, 2023.
What Is a Covered Business?
To qualify as Covered, a business must be:
A for-profit entity that collects and controls a California consumer’s personal information and at least one of these:
- As of January 1 of a calendar year, they had worldwide annual gross revenues of over $25,000,000.00 in the preceding calendar year.
- Alone or in combination, they annually buy, sell, or share personal information of 100,000 or more California consumers or households, or they derive 50% or more of annual revenues from selling or sharing California consumers’ personal information.
High-Level Requirements
As of January 1, 2023, covered employers must prepare to:
- Provide California Residents with a specific privacy disclosure notice
- Respond to California Resident privacy requests
- California residents can request a list of their information that was collected
- California residents can also request data to be corrected or deleted
- If the data serves a required business purpose, it is acceptable to deny the request for deletion
What Are Paycor's Responsibilities?
Paycor is a service provider as defined by the CPRA. This means Paycor can assist with specific requirements, but it is the employer's responsibility to comply with the CPRA.
We recommend employers consult their legal advisor to confirm whether the law applies to their organization, evaluate current data collection practices, and establish a process for handling privacy requests and disclosure notices.
As of January 1, 2023, customers can contact Paycor to request assistance with data collection, data amendment, and data deletion.
- All California employee CCPA requests must be sent by a customer contact listed on the account.
- Paycor does not handle CCPA requests directly from employees.
- If you receive a CCPA request from an employee, contact the Paycor Support team.
- After initial contact, an email requesting the CCPA Request Type, the employee's name and number is sent to you.
- CCPA Request Types include Data Deletion, Data Amendment, and Data Report
- After the request type and employee name and number are provided, the support team will manage the request with a support case.
Note:
- Employers have 45 days from the date of the request to complete any necessary action.
- Paycor will make every effort to turn around responses as soon as possible.
Agency Resource
See the California CCPA Overview & Frequently Asked Questions.
Updated: July 3rd, 2025 2985 views 0 likes