Workplace Privacy Compliance: A CCPA and GDPR Checklist for Facilities Managers

Privacy law used to be someone else's problem. Legal reviewed the contracts. IT handled the data requests. HR managed the notices. But as facilities and real estate teams take on more technology, from smart sensors and occupancy systems to digital access controls and space analytics, that assumption no longer holds.

‍

The sensors you choose to deploy, and how you deploy them, can determine whether your organization is on the right side of GDPR and CCPA. And with regulators paying closer attention in 2026, the question of which technology you use has become a compliance question as much as an operational one.

‍

This checklist is designed to help facilities and real estate managers understand their obligations under the two most consequential workplace privacy frameworks today, with a practical guide to staying compliant.

‍

Why Facilities Teams Are Now on the Privacy Hook

GDPR and CCPA were originally understood as rules for marketing departments and data brokers. Employee protections were often carved out or treated as secondary. That changed.

‍

Under GDPR, employee data has always been in scope. Under CCPA, the California Privacy Rights Act (CPRA) eliminated the workforce exemption entirely as of 2023, extending full consumer-grade privacy rights to California employees. And with 20 additional U.S. state privacy laws now active, the patchwork is only getting more complex.

‍

For facilities teams, this means the motion sensors, thermal detectors, desk booking systems, and access badges you manage are potential data collection points, each carrying regulatory implications depending on what they capture and how.

‍

GDPR and the Workplace: What You Need to Know

The General Data Protection Regulation applies to any organization processing the data of people in the EU, regardless of where the organization is headquartered. If you have employees or contractors in European offices, GDPR applies to the systems in those spaces.

‍

Key GDPR concepts for facilities teams:

• Lawful basis. You need a legal justification to process employee data. Consent is rarely appropriate in an employment context because of the power imbalance between employer and employee. Legitimate interest is typically the stronger and more defensible basis for workplace sensing, provided it is proportionate and documented.
• Data minimization. You may only collect data that is necessary for the stated purpose. Capturing more than you need, even passively, creates compliance exposure.
• Data Protection Impact Assessment (DPIA). If your sensing systems process data that could identify individuals or monitor behavior at scale, a DPIA is likely required before deployment. This is especially relevant for camera-based or Wi-Fi tracking systems.
• Individual rights. Employees in the EU have the right to access their data, request corrections or deletion, and object to certain types of processing. Your systems need to support these workflows.
• Penalties. GDPR fines can reach 4% of global annual turnover or 20 million euros, whichever is greater. By early 2025, total cumulative fines had reached approximately 5.88 billion euros.

‍

CCPA and CPRA: Employee Rights in California

Since January 2023, the California Privacy Rights Act has granted California employees the same data rights that consumers have had since CCPA went into effect in 2020. If your organization has employees in California, these rules apply to the data collected in your facilities.

‍

What California employees can now do:

• Request to know what personal data has been collected about them and why
• Request access to that data and ask for corrections
• Request deletion of data that is no longer necessary for the disclosed purpose
• Opt out of certain uses, including profiling in employment contexts
• Not face retaliation for exercising any of these rights

‍

CPRA also codifies data minimization as a legal standard, requiring that data collection be "reasonably necessary and proportionate" to the disclosed purpose. Capturing more granular data than your use case requires, such as second-by-second location tracking when aggregated presence counts would suffice, is a violation.

‍

New regulations effective in 2026 also require covered businesses to conduct privacy risk assessments before processing that poses significant risk to consumer privacy, including certain HR analytics and automated decision-making scenarios.

‍

Penalties for intentional CCPA violations can reach $7,500 per incident. With building-wide sensor networks generating data continuously, the exposure compounds quickly.

‍

Other Regulations Worth Knowing

GDPR and CCPA are the most impactful, but they are not the only frameworks in play. Organizations with global footprints should be aware of UK GDPR, which mirrors the EU regulation post-Brexit but is enforced independently by the UK Information Commissioner's Office. Canada's PIPEDA and its stronger proposed successor have similar principles around transparency and consent. China's Personal Information Protection Law (PIPL) applies to data collected from individuals in China, including employees.

‍

In the U.S., 20 state privacy laws were active as of 2026, with more on the way. While most focus on consumer data, the trend is clearly toward expanding employee protections. Building a privacy-by-design foundation now prepares you for what is coming.

‍

The Compliance Checklist: Workplace Sensing and Privacy

Use this checklist when evaluating, deploying, or auditing any sensing or monitoring technology in your workplace.

‍

Before Deployment

• Identify what data is collected. Does the technology capture images, movement paths, biometrics, or any data that could be linked to an individual? Anonymous aggregate counts are very different from trackable individual-level data.
• Establish a lawful basis. Document why you are collecting data and which legal basis applies under GDPR or applicable state law. For most workplace sensing, legitimate interest is appropriate, but it must be assessed and recorded.
• Complete a DPIA if required. If the system involves large-scale monitoring, behavioral tracking, or data that could identify individuals, a Data Protection Impact Assessment is required under GDPR before you deploy.
• Review vendor data handling. Understand where data is stored, how long it is retained, and with whom it is shared. Get this in writing. GDPR liability sits with the data controller, which is you, not just the vendor.

‍

Transparency and Notice

• Provide notice to employees. Both GDPR and CCPA require employees to be informed about what data is collected, why, how it is used, and with whom it is shared. This notice should be written in plain language, not buried in an onboarding packet.
• Update your privacy policy. If your sensing deployment is new or has changed, your employee-facing privacy documentation should reflect it.
• Post signage in monitored areas where appropriate. Especially in jurisdictions with specific notice requirements, visible disclosure of sensing technology builds trust and reduces legal risk.

‍

Data Minimization and Retention

• Collect only what you need. If aggregated occupancy counts tell you what you need to know, there is no compliance justification for capturing individual movement paths. Data minimization is enforceable under both GDPR and CPRA.
• Set retention limits. Data should not be kept longer than necessary for the stated purpose. Document your retention schedule and build deletion workflows into your operations.
• Prefer anonymous-by-design technology. Technologies that cannot generate personal data in the first place, such as low-resolution thermal sensors, eliminate many compliance obligations at the source.

‍

Rights Management

• Build a process for data subject requests. Employees can ask to access, correct, or delete their data. You need an operational workflow to respond within the required timeframes: 30 days under GDPR, 45 days under CCPA.
• Coordinate with IT, Legal, and HR. Privacy compliance is not a solo effort. Facilities teams should have clear escalation paths and shared documentation with the teams that own the broader privacy program.

‍

Technology Choice Is a Compliance Decision

Not all occupancy sensing technologies carry the same regulatory burden. Camera-based systems require DPIAs under GDPR, create biometric data risks, and often require explicit consent. Wi-Fi tracking can expose personally linked movement data. Badge systems are explicitly tied to individual identities.

‍

Thermal sensing takes a different approach. Butlr's sensors use low-resolution, 64-pixel thermal data to detect presence and movement without capturing images, faces, or any personally identifiable information. Privacy is enforced at the hardware level, which means the data is anonymous by design, not by policy. There is nothing to anonymize after the fact because identifiable information is never generated in the first place.

‍

This matters for compliance in concrete ways: no DPIA is required for anonymous aggregate data under GDPR, no works council approval is needed, and consent is not a prerequisite. For facilities teams navigating multi-site deployments across jurisdictions, starting with privacy-safe hardware significantly simplifies the compliance picture.

‍

For a deeper look at how sensor choice affects GDPR obligations, see: Why GDPR Compliance Matters in Europe When Choosing Workplace Occupancy Sensors. 

‍

The Bottom Line

GDPR and CCPA have made workplace privacy an operational priority, not just a legal one. For facilities and real estate managers, the systems you procure and deploy are now data decisions with real regulatory consequences. The good news: compliance does not require sacrificing the insights you need to run efficient, data-informed spaces.

‍

Start with the checklist above. Audit your existing systems against it. And when evaluating new technology, make privacy-by-design a mandatory criterion, not an afterthought.

‍

Want to see how Butlr's anonymous thermal sensing fits into your compliance strategy? Talk to our team.

‍

Sources

O'Melveny: 2026 Data Security and Privacy Compliance Checklist

Secure Privacy: 2026 Privacy Compliance Roadmap

Centraleyes: CCPA Compliance Checklist for 2026

Flowace: Employee Monitoring Data Protection and GDPR

Mandatly: CPRA Employee Privacy Rights and Workplace Data Protection

Butlr: Why GDPR Compliance Matters When Choosing Workplace Occupancy Sensors

Butlr: Privacy-First Occupancy Sensors 2025 Buyer's Guide