The California Consumer Privacy Act Requires Employers to Take Reasonable Measures to Safeguard Employee Personal Information and Provide Privacy Notices to Employees
The California Consumer Privacy Act (“CCPA” or the “Act”) of 2018 provides robust protections to consumers—giving them the right to know what personal information of theirs is being collected and how the information will be used. The Act also gives consumers the right to have their personal information deleted and exempted from sale. The CCPA went into effect on January 1, 2020, and the enforcement deadline is the sooner of July 1, 2020, or six months from when California’s Attorney General issues final regulations. On February 7, 2020, the California Office of the Attorney General released proposed Modified Regulations, which are subject to a public comment period that ended on February 25, 2020. The Attorney General has also published a Fact Sheet, which can be found here.
Although the CCPA is primarily directed at consumer privacy, the law has some implications for employment-related data. Initially, the CCPA’s broad definition of “consumer” left employers wondering whether employees were considered consumers under the law and if so, the implications for employers who gather and manage sensitive employee data. In October 2019, California Governor Gavin Newsome signed several amendments to the CCPA, including Assembly Bill 25 and Assembly Bill 1355 that clarify how the CCPA applies to the workforce.
The first relevant amendment, A.B. 25, postpones, until January 1, 2021, all but two of the Act’s requirements pertaining to employee data. Employers must still: (a) safeguard personal information and (b) provide a notice to employees regarding the personal information collected by the employer and how the information is used.
The second relevant amendment, A.B. 1355, excludes background checks from the CCPA’s coverage and relieves businesses of any duty to provide privacy notices to employees of its clients or vendors.
Who Must Comply With The CCPA?
The CCPA covers employers who do business in the state of California and meet one of the following criteria:
- Gross annual revenues of more than $25 million.
- Annually purchases receives for commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more California consumers, households or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
The law is not limited in scope to entities that have physical locations in California and also applies to any entity that (1) controls or is controlled by a business that meets the above criteria and (2) shares common branding (i.e., shared name, servicemark, or trademark) with the covered business.
Personal Information That Is Excluded
The amendments set forth in A.B. 25 have significantly limited the Act’s application to employers. In this regard, A.B. 25 excludes from the CCPA’s scope the following categories of personal information:
- Personal information collected by a business about an individual in the course of the individual acting as a job applicant, employee, independent contractor, corporate officer, director; individuals with a majority ownership interest in a business; and medical staff members;
- Personal information identified as emergency contact information; and
- Personal information necessary for a business to administer benefits for an individual who is entitled to benefits from the employer by virtue of their relationship to a job applicant, an employee, independent contractor, corporate officer, director; or individuals with a majority ownership interest in a business; or medical staff members.
These exclusions, however, are not indefinite and are set to terminate on January 1, 2021, unless the California legislature takes further action.
Reasonable Security Measures
Although A.B. 25 delays most of the CCPA’s requirements for employers until 2021, the amendments do not shield employers from liability resulting from security breaches. The CCPA allows California residents to seek between $100 and $750 in statutory damages when a data breach leads to the “unauthorized access and exfiltration, theft, or disclosure” of certain sensitive personal information due to a company’s failure to take appropriate steps to prevent the breach. A.B. 25 does not exempt employers from this section of the Act. Thus, employers can face significant damages if their failure to implement reasonable security measures results in a breach related to vital employee data.
To be actionable under the CCPA, a security breach must meet the following criteria:
- The breach must involve the “unauthorized access and exfiltration, theft, or disclosure” of, the affected individuals first name or initial and last name, combined with the individual’s: (a) Social Security number; (b) driver’s license or California identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (d) medical information; or (e) health insurance information.
- The breach must result from the “business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
Before initiating an action to recover damages, affected individuals must provide 30 days written notice to the business identifying the specific provisions of the Act alleged to have been violated. If the business timely cures the violation and “provides the consumer an express written statement that the violations have been cured and that no further violations will occur,” the affected individual no longer would qualify to recover damages.
Required Privacy Notices to Employees
Employers also remain subject to the CCPA’s privacy notice requirement. A.B. 25 specifically mandates that covered businesses must provide privacy notices to employees in California. Although no model notice has been provided, the CCPA states that the notice must describe “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.”
Personal information is defined broadly by the CCPA to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of personal information frequently collected by employers include Social Security numbers, employment history, financial information, medical information, and emergency contacts.
The privacy notice must be furnished to employees “at or before the point of collection” and provide a copy of, or link to, the employer’s privacy policy. The revised draft regulations explain that employees do not have to be given a “Do Not Sell My Personal Information” link. Additionally, the notice may provide a link to the business’s privacy policies for employees, applicants, etc., rather than the privacy policy that applies to other consumers.
In the event employers intend to use previously collected personal information for a previously undisclosed purpose, the CCPA requires that a new notice be provided to affected individuals.
A.B. 1355 provides that a business is not required to issue privacy notices to employees of their clients or vendors.
Background Check Information is Excluded
Although background check information was previously within the scope of the CCPA’s coverage, AB 1355 has amended the Act to exclude activities authorized by the Fair Credit Reporting Act (“FCRA”). Such activities include background checks conducted by a consumer-reporting agency at the request of an employer in accordance with the FCRA.
Next Steps
While the amendments to the CCPA significantly limit the Act’s application to employers, Companies should be mindful that those limitations are not permanent, and, barring future legislation, they are set to terminate on January 1, 2021. Moreover, employers are not exempt from the Act’s notice requirement and mandate to safeguard personal information.
Moving forward, employers should continue to take steps to ensure compliance with the requirements of the CCPA. Companies should review and update their internal policies related to information security and confirm that privacy notices are CCPA-compliant. Further, to avoid monetary liability under the CCPA, employers must take reasonable measures to protect employee personal information.
Please do not hesitate to contact any of our attorneys if you have any questions regarding CCPA compliance.