In a little over two months, the California Consumer Privacy Act of 2018 (CCPA) will take effect. Since its enactment in the summer of 2018, the law has been considered a game changer because it affords unparalleled data privacy rights to California residents who are either consumers, employees or job applicants of covered businesses located all over the world. A covered “business” is a for-profit legal entity doing business in California that collects personal information regarding California residents. The scope of “doing business” in California applies to companies that sell goods or services to California residents – and that recruit in California – even if the business is not physically located in California. Its application beyond U.S. borders could significantly expand the impact of the legislation.
Not all business qualify. To fall within the scope of the CCPA, the business must also meet one of the additional three criteria:
- Have $25 million or more in annual revenue; or
- Possess the personal data of more than 50,000 “consumers, households, or devices”; or
- Earn more than half of its annual revenue selling consumers’ personal data.
A full discussion of the CCPA, by our Privacy & Cybersecurity Practice Group, can be found here.
Until this month, employers have been on a seesaw regarding whether employees, who are residents of California, were intended to be within the broad definition of “consumers” under the CCPA or whether they were outside the CCPA and thus exempt from most of their employers’ obligations. Governor Newsom settled the question on October 11, 2019 when he signed Assembly Bill 25, among others, into law.
Assembly Bill 25 creates a one-year period during which many of the CCPA’s requirements will not apply to the personal data collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors when the information is collected solely in the context of that person’s role or former role in the business. In other words, as long as employers are collecting the data of employees and job applicants for purposes solely relating to employment, the CCPA generally does not apply to the collection of that information.
There are some carve-outs from the employee exemption that employers should be aware of including, for example, that the exemption does not apply to an employee’s personal data if the employee is also a consumer of the employer’s business products and services. Further, the exemption does not remove the notice requirement under 1798.100(b). Thus, by January 1, 2020, companies would still need to inform employees, potential employees, and other consumers what information is collected and why, and how such information is used and disclosed. Employees are also entitled to sue their employer following a data breach because their personal data is not exempt from a consumer private right of action under Section 1798.150.
After the one year period for the employee exemption times out on January 1, 2021, it is unclear whether covered employers will then be obligated to provide the same rights to employees that they provide to all other consumers. Unless the California legislature passes an employee privacy law between now and then or the law is further amended to make the employee exemption permanent, then covered employers will need to offer employees and job applicants, who are California residents, the same rights as they do to California consumers.
The reason for all of the anxiety, before AB 25 settled the question over the employee exemption, is because intentional violations of the CCPA can bring civil penalties of up to $7500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California. The maximum fine for other violations is $2500 per violation. Consequently, employers may want to begin voluntary application of all consumer rights to employees, starting in 2020, so that they are fully compliant by January 1, 2021 when the exemption for the personal data of employees is set to expire.
So, what should employers be doing now to reduce exposure for liability to their employees under the CCPA? The first step is to remember that best practices for human resources professionals only need to change if the business is subject to the CCPA to begin with. If the business is subject to the CCPA, then it should take the same steps it is applying to “personal information” it collects from customers and consumers to employee data. A few key issues unique to employees who are included within a CCPA compliance program include:
- Determine which employees are residents of California or whether to extend the California consumer rights to all employees.
- Determine which systems and third party service providers hold the employee information.
- Develop a streamlined method by which employees can make personal information access and deletion requests.
- Develop processes to identify and isolate an individual’s information.
- Train a team of employees to handle and respond to CCPA requests from employees.
Governor Newsom also signed four other bills on October 11, 2019, that directly amend the CCPA, and two other bills that affect the CCPA. And, on October 10, 2019, the California Attorney General released draft regulations to help businesses determine how to shape their compliance obligations. For our Alert discussing the other amendments and draft regulations, please read here.
Michael Best’s Privacy & Cybersecurity Team has kept pace with the CCPA developments by creating templates and tools that can be customized to all sizes of businesses across all affected industries. We have also explored and designed practical solutions to minimize compliance challenges of the core provisions of the law. Please reach out to our team for a consultation about the next best steps between now and the time that the CCPA becomes official on January 1, 2020.