Considerations for Handling Employee Access Requests (DSAR)

Key Takeaways

• Employees have full consumer rights under the CCPA. Since January 1, 2023, California workforce members can exercise the same rights as any other consumer. Many comprehensive state privacy laws continue to exclude or limit employee data, California does not. 
• Employee DSARs go well beyond labor law. CCPA as amended by CPRA puts geolocation, biometrics, internet activity, inferences, neural data, and ADMT outputs in scope.
• ADMT for employment decisions triggers new obligations. Employees can request transparency into automated tools used in hiring, promotions, compensation, and terminations, and can opt out. Compliance deadline: January 1, 2027.
• Risk assessments are mandatory. Processing sensitive PI, using ADMT for significant decisions, and systematic employee monitoring all require documented assessments retained for at least five years.
• Cybersecurity audits with executive certification are coming. Tiered deadlines begin April 1, 2028, with certification signed under penalty of perjury.
• Data correction obligations have teeth. Corrected records must stay corrected, and you must name or notify the source of inaccurate information.
• The look-back window extends to January 1, 2022. If you retain employee PI beyond 12 months, employees can request all of it back to that date.

Why Employee DSARs Are Different in California

California’s privacy law stands apart from every other state privacy framework in one critical respect for employers: it applies fully to employee data. While a growing number of states now have comprehensive privacy laws on the books, most explicitly exclude employee and applicant information from their scope. California’s employer exemptions expired on January 1, 2023, and since then, workforce members have held the same full suite of privacy rights as any other California “consumer.” The law itself, the California Consumer Privacy Act, first signed in 2018 and substantially strengthened by the California Privacy Rights Act (CPRA) in 2020, has been steadily gaining force and is now enforced by the state’s dedicated privacy agency, California Privacy Protection Agency (CalPrivacy). 

That makes handling data subject access requests (DSARs) from employees one of the more operationally complex areas of California privacy law compliance. As of January 1, 2026, CalPrivacy’s latest regulations introduced requirements for automated decision-making technology (ADMT), mandatory risk assessments, and independent cybersecurity audits, all of which carry direct implications for how your organization handles employee data. Employment decisions like hiring, promotions, work assignments, and compensation are now explicitly defined as “significant decisions” under the ADMT framework, meaning employees can request transparency into how automated tools were used, and in many cases, opt out entirely.

This guide walks through the key considerations for handling employee access requests under the current CCPA framework and what your team needs to be prepared for.

Employees as “Consumers”

The CCPA doesn’t distinguish between your customers and your workforce. If your business meets the applicability thresholds, the personal information you collect for recruitment, payroll, benefits management, and other HR functions is subject to the same rights and obligations as any other consumer data you hold. That includes job applicants, past and current employees, independent contractors, and owners, directors, and officers.

This means your privacy program can’t treat employee data as a separate, lower-priority workstream. The same rights to know, delete, correct, opt out, and limit apply. The same response timelines apply. And the same enforcement mechanisms apply. According to the Purpose and Intent section of Proposition 24, consumers should know who is collecting their personal information, how it is being used, and to whom it is disclosed so they have the information necessary to exercise meaningful control over businesses’ use of their personal information.

California’s Delete Act also launched the Delete Request and Opt-out Platform (DROP) on January 1, 2026, allowing consumers to submit deletion requests to all registered data brokers at once. Starting August 1, 2026, data brokers must check the system every 45 days, process deletions, and honor opt-outs. While DROP primarily targets data brokers rather than employers, it’s relevant if your organization shares employee data with third parties that may qualify as data brokers under California law. Audit your vendor relationships to determine whether any of your HR data recipients are registered or registrable as data brokers.

In-Scope Personal Information

One of the first questions you’ll need to answer when an employee DSAR comes in is what data is actually in scope. The answer extends well beyond what employees can access under the California Labor Code:

 The definition of sensitive personal information now also covers consumers under 16, which may be subject to the right to limit. If your organization employs minors (interns, for example), their data carries heightened obligations.

What to do: Map these data categories against your actual HR systems now. If you’re collecting biometrics for time tracking, geolocation from company devices, or running performance analytics that generate inferences, all of it is discoverable through a DSAR.

Components of a DSAR Response

Your DSAR response must address two areas: what your organization “knows” about the individual, and what has been done with that data.

What Your Organization Collected

• Categories of personal information collected about the employee
• Categories of sources from which the personal information was collected
• Business or commercial purpose for collecting, selling, or sharing personal information
• Categories of third parties to whom the business discloses personal information
• Specific pieces of personal information collected about the employee

What Was Disclosed, Sold, or Shared

If your organization has disclosed, “sold,” or “shared” employee data, the DSAR response must also address:

• Categories of personal information collected, sold, or shared about the employee
• Categories of third parties to whom the personal information was sold or shared, broken out by category of PI for each category of third party
• Categories of personal information disclosed for a business purpose and the categories of persons to whom it was disclosed (i.e., service providers and independent contractors)

ADMT Disclosures

Under the current regulations, if your business uses ADMT for decisions about employees, the DSAR response must also include the specific purpose of the ADMT, the logic sufficient for the employee to understand how their data was processed, and the outcome including what other factors were involved. If ADMT was used more than four times in a 12-month period, you may provide an aggregate-level response.

What to do: Audit your HR tech stack for tools that use algorithmic scoring, ranking, or filtering in employment decisions. Document the purpose, logic, and output type for each so your team can respond without scrambling.

Processing Employee DSARs

Employee access requests follow the same data subject request management process as other consumer DSARs, but the HR context introduces complications that don’t come up with typical consumer requests. These requests cut across HR systems, internal databases, third-party service providers, and sensitive employment records, and they require careful coordination between privacy, legal, and HR teams. What follows covers timelines, compilation, and the tricky parts.

DSAR Processing Timeline

Compiling Information

After determining the DSAR’s validity and scope, you need to collect the employee’s personal data and compile a report on when and how it was collected, processed, and stored. This is typically the most time-consuming step, and where most teams run into trouble.

Take care with legally protectable trade secrets, information pertaining to other individuals (outside of a valid request submitted on behalf of a data subject), and especially sensitive pieces of personal information.

Section 7024 of the CCPA Regulations sets out circumstances where you are not required to search for personal information:

• You don’t maintain it in a searchable or reasonably accessible format
• You maintain it solely for legal or compliance purposes
• You don’t sell or use it commercially
• You describe to the employee the categories of records that may contain their data

Even where an exemption applies, you must not disclose Social Security numbers, driver’s license numbers, financial account numbers, health or medical identification numbers, account passwords, security questions, or unique biometric data. You must, however, inform the employee with sufficient particularity about the type of information collected.

Data Correction Obligations

The regulations have added real teeth to correction requirements:

• Corrections must stick. Corrected records cannot be overridden by stale data from upstream feeds. Build processes to prevent this.
• Source transparency required. You must name the source of inaccurate information or notify that source directly.
• Health data carries additional rights. Employees can submit a 250-word contestation statement if you deny a correction request for health data, and you must make it available to anyone who received the contested information.

Where Employee Data Lives

Employee PI doesn’t just live in your HRIS. When a DSAR comes in, you may need to pull from a range of systems that weren’t designed with privacy compliance in mind:

• Third-party HR SaaS applications
• Custom databases (MongoDB, MySQL)
• Data warehouses or data lakes (Snowflake, Redshift)
• Unstructured data stores (Elasticsearch, AWS S3)
• Internally built applications and proprietary platforms

What to do: Inventory every system that touches employee data and establish retrieval procedures before a DSAR forces you to figure it out under deadline. You can learn more about DataGrail’s approach through our Internal System Integration capabilities.

Self-service portals (payroll records, tax documents, benefits information) don’t eliminate the DSAR obligation. When self-service doesn’t cover the full scope, employees need a clear path to your privacy team or a standardized intake form. Employee handbooks should spell out what’s available through self-service and when to reach out directly.

Confidential Data and Redactions

Information about an employee often overlaps with company-confidential material. Most work emails and shared files relate to job functions and interactions, not the specific employee. Correspondence and files may involve other individuals, contain trade secrets, or include other company-confidential material. In both cases, this information is protected from disclosure.

What to do: Coordinate closely between your privacy team and employment counsel to define what’s disclosable, how to handle redactions, and when legal hold and litigation discovery procedures come into play. Clear internal policies here will save significant time when a DSAR arrives.

Look-Back Scope

Expanded look-back reach. CCPA as amended by CPRA lifts the original 12-month cap. Employees can now request all retained PI going back to January 1, 2022. As CalPrivacy confirmed in its pre-2026 guidance, this is the default expectation for any business retaining employee data beyond 12 months.

Expanded scope of information. Your organization needs to track and be prepared to provide categorized context about virtually all operational activities involving individuals’ personal and sensitive personal information, including categories of third parties, service providers, and independent contractors to whom employee data may have been disclosed.

What to do: Make sure your systems and service provider contracts support retrieval across the full January 1, 2022 timeframe. Update contracts to clarify support responsibilities and turnaround timelines for DSAR fulfillment.

Request Denials

You may deny a DSAR in whole or in part, but the denial must include:

• A specific legal basis for the denial (conflict with state or federal law, CCPA exception, inadequate documentation, or unreasonable/disproportionate effort)
• An explanation of the reasoning if citing unreasonable or disproportionate effort
• Notice of the employee’s right to submit a 250-word written statement for medical information corrections
• Notice of the employee’s right to request deletion, unless exceptions apply

For ADMT-related requests, if you deny in whole or in part, you must explain the basis and use reasonable security measures when transmitting any ADMT-related information. If ADMT was used more than four times in a 12-month period, you may provide an aggregate-level response.

Automated Decision-Making Technology (ADMT) and Employee DSARs

If your organization uses algorithmic or automated tooling in HR processes, CalPrivacy’s ADMT framework imposes obligations beyond what employees can request in a DSAR. It also requires affirmative steps before you deploy the technology.

Under the regulations, ADMT means any technology that uses computation to replace or substantially replace human decision-making. “Significant decisions” in the employment context explicitly include:

• Hiring
• Allocation or assignment of work
• Salary and incentive compensation
• Promotions, demotions, and suspensions
• Terminations

To avoid triggering the requirements, human involvement must be meaningful, not rubber-stamping. The human must know how to interpret the output, review it alongside other information, and have authority to change the decision.

Pre-Use Notice and Opt-Out Rights

Before deploying ADMT for any significant employment decision, you must provide a plain-language pre-use notice that includes:

• An explanation of the proposed use of ADMT
• A description of the employee’s right to opt out and how to exercise it
• A description of the employee’s right to access information about the ADMT’s use
• A statement that your business is prohibited from retaliating against employees who exercise their CCPA rights

The notice must also explain how the ADMT processes personal information to make the decision, including which categories of PI affect the output and what type of output it generates. Generic language won’t suffice.

The rules for handling opt-outs are specific:

• If an employee opts out before you initiate ADMT processing, you must not start.
• If the request comes after processing has begun, you must cease processing as soon as feasibly possible but no later than 15 business days from receipt.
• You must notify any service providers, contractors, or other persons involved in that processing to comply within the same timeframe.
• You must also provide employees a way to confirm the status of their opt-out request, including requests submitted through an opt-out preference signal like the Global Privacy Control. This could be as straightforward as displaying “Opt-Out Request Honored” or toggling a status in the employee’s privacy settings.

Timelines and Exceptions

Narrow exceptions exist for hiring and work allocation decisions where ADMT is used solely for assessing ability to perform and works as intended without unlawful discrimination. Evaluate these carefully with counsel; the burden of proof falls on your organization.

What to do: Use the compliance runway to inventory automated tools across your HR stack, build compliant pre-use notices, and establish intake and response workflows for ADMT-related DSARs and opt-outs.

Risk Assessments for HR Data Processing

You are now required to conduct formal risk assessments before engaging in processing activities that present significant risks to privacy. The following HR activities trigger this requirement:

• • Processing sensitive PI (narrow exception for payroll, benefits, and legally mandated reporting; examine carefully whether your activities qualify)

• Using ADMT for significant employment decisions

• Profiling through “systematic observation” (Wi-Fi/Bluetooth tracking, RFID, video/audio recording, geofencing, location trackers)
• Processing PI to train ADMT for significant decisions or identity verification technology

Assessments must be reviewed every three years or within 45 days of a material change. Retain for as long as processing continues or five years, whichever is later. Submissions to CalPrivacy for 2026–2027 assessments are due by April 1, 2028.

What to do: Identify which of your HR data processing activities trigger a risk assessment, prioritize them by risk level, and begin documenting. The obligation to conduct the assessment exists now, even if submission deadlines are later.

Cybersecurity Audits

Annual independent cybersecurity audits are now required for businesses meeting the gross revenue threshold ($26.625 million as of January 1, 2025) and at least one of the following:

• Processed the personal information of at least 250,000 consumers or households in the preceding calendar year
• Processed the sensitive personal information of at least 50,000 consumers in the preceding calendar year

Audits must be conducted by a qualified, objective, independent professional and must cover 18 separate cybersecurity components specified in the regulations. A member of your executive management team must submit a certification of compliance to CalPrivacy, signed under penalty of perjury.

What to do: Ensure employee data systems (HRIS, internal databases, third-party service providers) are covered by your organization’s cybersecurity program. If they’re out of scope, close that gap before your audit deadline.

Getting Employee DSARs Right at Scale

The regulatory bar for employee DSARs is higher than it’s ever been. Between ADMT transparency requirements, mandatory risk assessments, expanded look-back windows, and data correction obligations, the margin for ad hoc or manual compliance is shrinking fast.

That’s the problem DataGrail was built to solve. DataGrail’s privacy compliance platform connects directly to your HR systems, SaaS applications, internal databases, and third-party service providers, through 2,400+ integrations, giving your team a real-time, integrated view of where employee data lives and how it moves. When a DSAR comes in, DataGrail’s DSAR automation handles discovery and retrieval across your entire data map so your team can respond accurately and within deadline.

With support for automated DSAR fulfillment, internal system integrations, and consent and preference management, DataGrail helps privacy and legal teams stay ahead of the compliance curve. Request a demo to see how it works.