The California Legislature enacted the California Consumer Privacy Act (“CCPA”) in 2018 to give consumers control over the use and sale of their personal information by businesses. The law’s provisions are broad, and may affect how employers collect and store applicants’ and employees’ personal data.
Many of the CCPA’s provisions take effect January 1, 2020. However, Governor Newsom just signed AB 25, which postpones until 2021 most – but not all – of the CCPA’s applicability to the employment context.
Although this article focuses on employment-related issues, the CCPA applies to many types of information having nothing to do with employment law. Employers therefore must become familiar with the CCPA’s provisions, including those that take effect in 2020, as well as what to expect in the future.
Is Your Business Covered by the CCPA?
The CCPA applies to entities doing business in California that collect specified personal information. Qualifying businesses generally must satisfy one of three criteria: have an annual gross revenue of over $25 million; or annually receive, sell, or share personal information from 50,000 or more California residents, households, or internet-connected devices (combined); or derive 50% or more of annual revenues from selling personal information.
Exceptions may apply to government, non-profits, and consumer reporting agencies, but even these exceptions come with caveats. The law also contains exceptions for certain types of data, such as information protected by the federal Health Insurance Portability and Accountability Act of 1996 (known as “HIPAA”), or data from financial institutions that is already protected by similar laws.
The CCPA’s coverage is vague in some respects. For example, the law does not define what it means to be “doing business in California.” Additionally, a business that uses a third party to collect personal information on its behalf still may be a covered entity.
What is “Personal Information”?
Protected “personal information” broadly includes data that can identify, relate to, describe, or is reasonably capable of being associated with a particular consumer or household. In the employment context, that definition could include basic human resources data, such as names, addresses, date of birth, as well as information such as protected classes, employee purchase history, training records, internet browser records, and more.
How Do Employers Comply?
The CCPA imposes on covered businesses several requirements that may affect human resources policies and practices. For example, covered businesses must inform consumers (which may include employees) the categories of information collected and their intended use.
Consumers may request disclosure of the specific information a business has collected about them (twice per year), and whether it provided such information to third parties. Employers frequently disclose employees’ information to third-party businesses, as part of benefits programs, for example. Businesses also annually make certain disclosures in their online privacy policies.
Covered businesses must give consumers the option to “opt-out” of the sale of their information. This provision is less likely to apply in the human resources context.
Consumers may request that a business delete personal information it has collected, unless the information is necessary for a transaction, legal obligation, or a few other exceptions. Naturally, employers are obliged to maintain personnel records by law. So, there will be limits on employers’ obligation to comply with this provision.
The CCPA protects consumers against discrimination for exercising their CCPA rights. And, an affected consumer can file a lawsuit or a class action if they are harmed by a business’ lack of appropriate security measures.
The CCPA primarily is intended to limit disclosure of personal information collected for marketing or commercial purposes that is sold or disclosed to third parties. Because the definition of personal information is so broad, however, critics worry that employees could abuse the CCPA’s protections. For example, employees may exploit disclosure requirements to skirt the discovery process in litigation, or obtain internal HR documents to which they would otherwise not be entitled.
Perhaps in response to these and other concerns, the Legislature passed AB 25 so it could take time to consider how the CCPA should apply in the employment context. AB 25 exempts personal information collected in the course of applying for and holding employment. That includes most human resources data, as well as personal information relating to emergency contacts and collected for administering employee benefits.
The bill does not relieve employers of other obligations they may have under CCPA with regard to customers, website visitors, or in connection with personal information collected for marketing or other purposes.
The AB 25 exemption also does not apply to the “Notice” and “Private Right of Action” protections, discussed above. Covered employers therefore must comply with the notice requirements discussed above. Employers also will be held responsible under the statute for security breaches involving personal information.
What Happens When AB 25 Sunsets?
AB 25’s temporary exemptions expire December 31, 2020, unless the Legislature takes action to extend them. Absent such action, covered employers must comply with the full suite of CCPA protections starting January 1, 2021.
What Employers Must Do in 2020
Employers should consult with counsel familiar with CCPA to determine if they are covered. Those covered employers should identify what personal information they collect, and to whom notices must be given. Employers should examine security measures, and investigate obligations under CCPA both within and without the employment context.
Finally, employers should monitor developments in the law to see whether the Legislature extends the sunset date of AB 25, or decides to amend CCPA and its treatment of employment-related data.