On September 13, 2019, the California Senate and Assembly unanimously passed AB 25, amending the California Consumer Privacy Act (“CCPA”). Governor Newsom signed AB 25 into law on October 11, 2019. This amendment places serious obligations on certain employers to protect the private data of employees, and grants employees the right to statutory damages for data breaches. And while Governor Newsom’s signing of AB 25 gives employers a reprieve until January 1, 2021 to comply with those requirements of the CCPA (with respect to coverage of employee data), this reprieve is only temporary.
Are you covered by CCPA?
The CCPA covers for-profit businesses that meet any of the following three criteria: (1) a business with gross annual revenues in excess of $25 million; or (2) a business that buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices; or (3) a business that derives 50% or more of its annual revenue from selling personal information.
Do you have to be in California for CCPA to apply?
No. CCPA applies if one of the criteria above is present, and if the company has “consumer” data covered by the Act. For purposes of CCPA, “consumers” are broadly defined as any “natural person who is a California resident.”
Are employees “consumers” under CCPA?
Yes. Previously there was debate whether “consumers” for purposes of the Act included employees. However, AB 25 laid that debate to rest. Under the explicit terms of AB 25’s amendment to CCPA, “a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” receives rights under the CCPA. While AB 25 makes clear that employers have until January 1, 2021 to demonstrate compliance with all of the stringent provisions of the CCPA regarding the handling of the private data of employees, independent contractors, and job applicants, and as to data collected and maintained to administer benefits – this reprieve is only temporary. And employers have a lot to do between now and the beginning of 2021.
What were employee privacy rights in the past?
California employees have long benefited from certain rights to privacy under the California constitution and various legal statutes. For example, in California, employment records are considered confidential and are protected from disclosure absent a subpoena and consumer notice. California employees have the right to inspect various employment records (payroll records, documents signed during employment, records related to their own performance or a grievance, OSHA records). Statutory damages are imposed for failure to allow an employee to exercise her/his inspection rights.
How has CCPA expanded employee privacy rights?
CCPA expands employees’ privacy rights in three ways: (1) CCPA requires mandatory privacy notices and disclosures about the data collected by employers from employees, and the purpose for such collection; (2) CCPA mandates statutory damages ranging from $100 to $750 for breaches of sensitive personal information; and (3) CCPA expands employees’ rights to request access to and deletion of personal information.
How has CCPA changed mandatory employee privacy notices?
In California, privacy disclosures and “appropriate use” policies for employees are nothing new. In the workplace, it is commonly understood that certain privacy rights are curtailed and that an employee cannot expect his/her own privacy interests to take priority over the employer’s right to monitor use of technology in the workplace. As long as there is a clear policy — usually in the employer’s Employee Handbook — employees have no expectation of privacy to data transmitted on their employer’s systems.
However, under this new amendment to CCPA, the scope and content of employee privacy policies are expanded significantly. Employers must now include in their employee privacy notices the following: (1) categories of personal information that the company has collected; and (2) the purpose for which the personal information will be used. “Personal information” under CCPA is very broad, and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” The definition identifies many categories of data, including “professional or employment related information,” “educational information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” and “geolocation data,” among others. Employers must disclose all categories of personal information they collect, the purpose for which it is being collected, and how the information will be used.
What are the damages for data breaches?
Consumers will now have a private right of action under the CCPA to recover statutory damages ranging from $100 to $750 per incident, per employee, if any of the information protected under the previous CCPA gave the old law a new (and expensive) attitude by providing consumers with a private right of action to recover statutory damages ranging from $100-750 per incident, per employee, if any of the information listed in the previously existing data breach notification statute is compromised by unauthorized access or disclosure. Similar to PAGA, the CCPA now allows consumers to bring a cause of action on behalf of all others similarly situated. This creates fertile ground for class actions and/or representative lawsuits.
What rights do employees have to access information and request deletion, and when?
Beginning January 1, 2021, under the CCPA, employees have the right to: (a) request a business disclose what personal information it has collected; (b) the right to know what personal information is being sold or disclosed and to whom; (c) the right to request and receive a copy of all such information in a readily usable format; (d) the right to request that the business delete their personal information; (e) the right to opt out of the sale of their personal information; and (f) the right to be free from retaliation for exercising any rights under the Act. There is presently no private right of action against an employer for failing to comply with these rights; however, the California Attorney General has jurisdiction to investigate any alleged violations of these provisions.
What can employers do to prepare?
At minimum, employers who are subject to the requirements of CCPA must audit their own internal data gathering and management policies, to ensure that all sensitive, private, and/or confidential information is being maintained in as secure a way as possible. Knowing what data your business maintains will help ensure that you are meeting your legal obligations under CCPA with respect to both disclosure and security.
Additionally, employers would be wise to audit, review, and revise all employee privacy policies, employee applicant privacy disclosures, and independent contractor disclosures, to ensure that all are consistent and compliant with CCPA’s requirements.
Employers must also investigate and understand how its third-party vendors (payroll companies, HR consultants, staffing agencies, health/benefits providers, and so forth) who receive employee or applicant private information use, share, and keep such data secure. CCPA has specific language that must be included in certain third-party agreements in order for such third-parties to qualify as a service provider (and provide safe harbor provisions for breaches). Employers must familiarize themselves with such language and update their vendor contracts accordingly.
Finally, best practices suggest that employers review, audit, and update their internal data, information, and document retention policies to reduce the amount of sensitive data being maintained.
CCPA is a deep rabbit hole, fraught with landmines for unsuspecting businesses. As the saying goes, an ounce of prevention is worth a pound of cure. Employers should take note and begin educating themselves and preparing now, so they do not get caught up in costly and time-consuming legal battles in the future.
You can read the full text of AB 25 here.