Time is running out! Become CPRA Compliant by Protecting Employee Data

Donny Phillips
Data Security

Worried about being compliant with employee data privacy legislation such as California Privacy Rights Act (CPRA), but not ready to make a vendor change?  Fear not, there are things you can do right now to better protect your employees’ sensitive private information.  Organizations should immediately require contractually binding and clearly understood limitations on employee data use, engagement, and storage with all their outsourced vendors.  The CPRA went into effect on January 1, 2023. Civil and administrative enforcement in California will begin on July 1, 2023, with substantial fines for violations. Within this blog, I will provide a high-level overview of each aspect followed by some best practices.  

Employee Data Engagement  

Most HR or Payroll vendors currently rely on “send and store” employee data files for their solutions. With this approach, an employer must transmit a full employee data file with highly detailed and extremely sensitive employment and income data on each employee every week, or every pay period.  Some of the more advanced vendor options do include API integrations, but the largest vendor’s API strategy is one which still gathers full employment and income data on every employee even more frequently.  The full-data file practice results in vendors gathering, engaging, and storing exponentially more data than is required to enable a smooth process. A much more efficient and far less risky process is to limit vendor engagement of your employee data to only when the data is needed for each employee.   

Vault Verify gathers employee data in a one-to-one, real-time manner. We only access the data for one employee at the time that it is needed and only gather the data elements needed to provide the authorized and requested report.  

Data Use 

The ways that employee data is being shared and sold is the most troubling aspect of the data approach used by many players in the verification of employment and income industry.  The employment and income data use practices of the largest vendors have been hard to “nail down” for years. Employers have had no true visibility into how and when their employee data has been shared or sold, for what purpose, and to whom.  

Thanks to CPRA legislation certain vendors have been required to register as “data brokers” (you can search the registry here) and those data brokers are required to disclaim all the ways they share or sell their customer’s sensitive data.  Even with these new views into data use, the language provided by the vendor can be murky or even downright confusing.  Rather than relying on a vendor to set the employee data use, engagement, and storage parameters, your organization should proactively set expectations and requirements around acceptable employee data use practices for your vendor.  The employee data provided for the purposes of your outsourced solution should only ever be used for the purposes explicitly intended and stated in the agreement and only at the express consent of the employee.   

Vault Verify only fulfills valid verifications with employee consent and therefore NEVER shares employee data with:  Attorneys, Pawn Shops, Debt Collectors, Advertiser, Marketers, Social Networks, Unsolicited Credit Offerors, or other Data Broker/Resellers, etc.  

Data Storage 

The employee data storage practices of many vendors result in massive unnecessary risks for employers and their employees.  We see vendors marketing their storage of hundreds of billions of data elements within massive cloud-based data management platforms around the world. This storage of employee data does not bring a single bit of value or improvement to any of their outsourced employer solutions.  Databases that large are inherently prime targets of bad actors, including state-sponsored hackers. Conscientious employers should never permit the SPII of their employees to be stored within such an environment. Control of the sensitive data is lost at that point, and the employer may be liable or culpable. In fact, there is simply no reason to compile or store the employment and income data of employees long-term in order to provide an automated verification of employment and income solution.   

Vault Verify does not store or compile the sensitive data of our clients or their employees.  

Best Practices 

Here are some employee data best practices to help get your outsourced programs moving toward CPRA compliance.  The points noted as “Critical Practices” should be considered “deal breakers” if the vendor will not agree to them.  

Employee Data Engagement 

  • BEST PRACTICE: Sensitive personal data of our employees shall only be engaged at the time it is needed to fulfill the explicitly stated obligations of the outsourced solution. 
  • CRITICAL PRACTICE: Vendor shall make reports available which include every instance that any portion of the data provided under this agreement is shared or sold. Reports must include the requestor, purpose, and data elements shared or sold. 

Employee Data Use 

  • CRITICAL PRACTICE: No employee data shall be shared, used, or sold for any purpose other than to fulfill a valid verification of employment or a valid verification of income.  
  • CRITICAL PRACTICE: Any verification of employment or income requires direct, recent employee consent. 
  • CRITICAL PRACTICE: Any verification of employment or income shall only be fulfilled for vetted and credentialed requestors. 
  • CRITICAL PRACTICE: Any other third-party sharing, selling, or using of the data must be explicitly authorized, in writing, by your organization.  
  • CRITICAL PRACTICE: All employment, income, and personal data provided under the agreement for the purposes of the outsourced solution remains the property of the employer. In the event the agreement is terminated all employee data must be deleted and removed from databases within 30 days of termination. Upon termination any data provided under this agreement shall no longer be shared or sold for any purposes. 

Employee Data Storage 

  • BEST PRACTICE: Sensitive personal data of our employees shall not be stored in any manner for longer than 90 days after fulfilling the obligations of the outsourced solution 
  • CRITICAL PRACTICE: Sensitive personal data of our employees shall never be comingled with data for any other employee or employer 
  • CRITICAL PRACTICE: Vendor shall make available a data asset library which captures detail on the data elements engaged and/or stored, the number of employees whose data has been engaged or stored, and where the data is used or stored.  This includes any and all vendor platform(s) in which the data is used or stored. 


If you would like to learn more about Vault Verify’s employment and income verification services, please request a demo. For more blog content, be sure to subscribe to stay notified of new blogs.

Donny Phillips
Director of Sales/Channels at Vault Verify

Donny Phillips is a 25-year industry expert who has served in leadership for multiple human resource and payroll service providers, including some of the largest third-party administrators and employment and income verification vendors. During his career, Donny has consulted with and provided services to employers of all sizes from the largest of the Fortune 100 to local small businesses as well as local governments and federal governmental agencies. Donny is passionate about helping clients optimize programs while focusing on doing the right thing for all stakeholders.

What to read next:

We asked ChatGPT to write our blog post.

(Editor: We posed a question to ChatGPT, the new AI-powered human language model: What can HR executives do to protect employee data? Following is the verbatim response.) Employee Data Protection…
Read more