The California Consumer Privacy Act (CCPA) gives California residents various new rights regarding the collection, use, and disclosure of their personal information, and imposes a number of obligations on businesses covered by the CCPA, including some that apply to personal information collected from employees, owners, officers, directors, job applicants, and contractors, effective January 1, 2020. This article discusses issues for employers under the CCPA, as amended by AB 25, and under related regulations proposed by the California attorney general, including compliance with a notice provision by January 1.
The CCPA was enacted in 2018, and most of its provisions will be effective as of January 1, 2020.[1] It provides certain rights to every “consumer,” which is broadly defined as “a natural person who is a California resident.”[2] This definition is different from the common legal definition of “consumer,” which typically requires that an individual be buying or using goods or services for personal, family, or household purposes. When the CCPA passed, it seemed that employees and others in the business context were unintentionally included in the broad definition of “consumer,” which gave rise to efforts to amend the CCPA. As a result, the California legislature recently amended the CCPA so that most of its provisions will not apply to personal information of employees, owners, officers, directors, job applicants, and contractors until January 1, 2021.[3] This one-year delay also covers emergency contact information collected and used by employers solely to have emergency contact information on file, as well as information necessary for employers to administer benefits for someone related to an employee, owner, director, officer, job applicant, or contractor.
While employers have a temporary reprieve from most of the CCPA requirements, they must still comply with one of the notice provisions under the CCPA, effective January 1, 2020, if the business is covered by the CCPA. Also, employees, owners, directors, officers, job applicants, and contractors will have the right, along with all other types of consumers, to bring a claim for breach of security for nonencrypted and nonredacted personal information.[4]
It is expected that legislators will use the next year to develop modified requirements for personal information pertaining to all of these categories of individuals. But if the legislature does not address this situation in 2020, all of the CCPA’s requirements will come into effect for personal information of employees, owners, officers, directors, job applicants, and contractors as of January 1, 2021.
The CCPA requires businesses to inform California residents as to the categories of personal information they are collecting and the purposes for which each category of information will be used.[5] The notice should be provided “at or before the point of collection.”[6] Businesses must not collect additional categories of personal information or use personal information for additional purposes without providing individuals with a new notice.[7] The law does not expressly provide for notice with respect to information collected prior to January 1, 2020, but the prudent course is for employer notices to include all categories of personal information that the employer has collected in its notices, since transparency is a key goal of the CCPA.
The proposed regulations state that each category of information must be identified in a manner that can be readily understood, and the notice must identify the business or commercial purpose for which the information will be used.[8] It is important to note that the attorney general issued the proposed regulations the day before Governor Newsom signed AB 25, and they do not include any regulations that are specific to the employment context, nor do they appear to contemplate the unique circumstances of the employment context. It is quite possible that the attorney general will propose new regulations that will clarify how employers are expected to comply with the CCPA’s notice requirements in California Civil Code Section 1798.100(b).
In creating their notices, businesses should keep in mind that the term “personal information” is quite broadly identified in the CCPA, and includes information that is publicly available through online sites such as LinkedIn or Facebook. It also includes publicly available biometric information that is collected without the person’s knowledge (such as facial scans). The only “publicly available” information that is excluded from the definition of “personal information” is information that is lawfully made available from federal, state, or local government records.[9]
In general, “personal information” includes any information that identifies, relates to, describes, or is reasonably capable of being associated with or linked (directly or indirectly) with a particular individual or household. By way of example only, this includes online identifiers, email addresses, identifying or account numbers, biometric information (such as fingerprints, handprints, voiceprints, facial scans, and retinal or ocular scans, increasingly collected from employees as part of authentication and workplace security measures), protected class information, geolocation data, audio or video recordings, and employment and education information.
In the employment context, this includes contact information, job-related information and qualifications, national identification information, age and benefits information, travel-related records, professional memberships, results of background checks and screening, salary, performance records, absence records, computer usage monitoring records, GPS data, and so on. It does not, however, include personal information that is deidentified or aggregated (although these categories are narrowly defined). Thus, the CCPA notice requirements do not cover summary reports and other types of aggregated data that cannot be traced back to specific individuals.
In addition, as a result of AB 1355 (signed by Governor Newsom on October 11, 2019), personal information exchanged between a business and an individual acting as an employee, owner, director, officer, or contractor of a business or governmental agency will not be subject to the CCPA until January 1, 2021, if the information is exchanged in the context of due diligence or in providing or receiving a product or service from that business or government agency. In other words, business-to-business communications are exempted for one year, allowing legislators time to establish rules applicable to that context.
There is relatively limited guidance in the CCPA and proposed regulations regarding how employers are to provide the required notice to employees, owners, directors, officers, job applicants, and contractors. The proposed regulations specify only that the notices must
As discussed further below, businesses should provide notice in a manner most likely to be noticed, read, and understood, and also that is readily available and accessible.
AB 25 garnered the most attention due to its impact on employers’ obligations related to personal information of their employees. The amendment also addresses personal information of job applicants and independent contractors, as well as owners, officers, and directors (some of whom may be employees as well).[11] While AB 25 provides the same one-year reprieve for their personal information, businesses have the same notice obligations with respect to job applicants, contractors, owners, officers, and directors as they do for employees, and those obligations are also effective January 1, 2020. For individuals in these categories, businesses should tailor both the content of the notices and how they are provided, given the more limited categories of information collected, the differing uses, and the different methods of communicating with individuals in these various roles.
The notice provision of the CCPA is effective January 1, 2020, and is enforceable only by the California attorney general. If a business does not comply with the notice requirements, the attorney general must provide notice and a 30-day opportunity to cure. Failure to cure will result in a violation that can lead to an injunction and civil penalties.[12]
The attorney general cannot “bring an enforcement action” until July 1, 2020 (or six months after the regulations are final, if that date is earlier).[13] When he issued the proposed regulations in October, the attorney general stated that businesses should not consider the first six months of 2020 to be a safe harbor. As a result, it is quite possible that his office will issue notices of noncompliance prior to July 1, 2020. At the very least, failure to comply with the notice requirements by January 1, 2020, may be a factor considered in setting penalties if a claim is ever brought regarding these notices or other CCPA provisions.
AB 25 expressly provides that the CCPA’s security breach private right of action provisions[14] are available to employees, owners, officers, directors, job applicants, and contractors as of January 1, 2020, along with all other California residents. Under the CCPA, consumers whose nonencrypted and nonredacted personal information is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may bring a civil action to recover damages (statutory or actual) and injunctive relief.[15] As a result, the CCPA provides businesses with yet another incentive for ensuring that personal information pertaining to their employees, owners, officers, directors, job applicants, and contractors is maintained in a secure manner appropriate to the nature of the information, in whatever form it is maintained.
Very generally, the CCPA applies to businesses that collect personal information, do business in California, and (1) have annual gross revenues in excess of $25 million (not limited to California revenue); (2) buy, receive, sell, or share personal information of 50,000 or more consumers (including employees), households, or devices; or (3) derive 50% or more annual revenue from the sale of consumers’ personal information.[16] It also applies to any entity that controls or is controlled by a covered business that shares common branding.[17] The CCPA does not apply to nonprofits (unless they are controlled by a business with common branding that is subject to the statute), or to certain healthcare providers governed by specified state or federal laws.
The CCPA does not apply to medical information governed by state or federal laws, or to information collected as part of clinical trials governed by federal law. There are other discrete exemptions to avoid conflicts with state and federal laws already governing certain types of information, including for credit reporting agencies, for financial information subject to specified state and federal laws, and for certain vehicle information.[18] The law does not restrict a business’s ability to otherwise comply with the law, or to assert or defend legal claims, nor does it pertain to conduct wholly outside of California.[19]
Businesses subject to the CCPA should identify all categories of personal information they have collected and will collect (regardless of source) that pertain to employees, owners, directors, officers, job applicants, and contractors who are California residents, and identify all current and anticipated uses of each category of information. Businesses should then create clear and concise notices that are accessible to those with disabilities, and provide these on or before January 1, 2020. Since it is likely that businesses collect and use different categories of personal information from individuals in different roles, they should consider developing several different notices; for example, for employees, for job applicants, and for contractors. In all cases, it is prudent to consider including a statement that the listing of usages is subject to the business’s other legal obligations, so that the listing is not misconstrued should the particular usage be restricted by other laws or agreements, or should the business need to provide or use the information in connection with litigation or similar matters.
Employers should consider how they typically communicate legally required notices to the various categories of affected individuals (for example, via email, hard copy, or otherwise), and consider whether to require that individuals confirm their receipt of the notices in some manner. If written acknowledgments are requested, they should be consistently obtained and documented. In addition to providing a readily visible notice to existing employees, it is reasonable to include the notice in any employee handbook and keep that information up to date. Employers should also be prepared to provide notices to job applicants and to new employees, owners, directors, officers, and contractors as they join or are otherwise engaged by the business.
With respect to personal information businesses have collected in the past that pertains to former employees, owners, officers, directors, job applicants, and contractors, or that pertains to emergency contacts or benefits beneficiaries, there is no indication that the CCPA or proposed regulations require businesses to locate and provide notices to those individuals unless and until the business will be collecting additional personal information from them.
As part of their work to comply with the CCPA’s notice requirements, businesses should reevaluate whether they have a business need for the collection, retention, and use of various types of personal information, and adjust those practices accordingly to reduce their burdens and risks. Businesses should also confirm that appropriate security measures are in place for protecting personal information stored electronically or offline, including encryption where appropriate, and consider deidentifying information in appropriate circumstances.
It is important to remember that the one-year delay for the effective date in the employment context pertains only to the collection and use of personal information in that context. To the extent that a business also collects information from these individuals in other contexts (including as retail consumers of the business’s products or services), the business will need to comply with all of the CCPA’s provisions for information collected unrelated to the employment context.
The CCPA provides a number of rights to consumers regarding the collection, use, and sharing of their personal information, including rights to require businesses to delete certain information and not to share the information, as well as rights to learn annually how their specific information has been used or shared. While there is a one-year delay for information pertaining to employees, owners, directors, officers, job applicants, and independent contractors, as well as for business-to-business communications, it is fully expected that new legislation will be adopted in the coming year providing individuals with greater control over their personal information. Employers will want to monitor developments, and take this next year to comprehensively assess their data collection needs and practices, including security measures, with respect to data from, about, or related to employees, owners, directors, officers, job applicants, and independent contractors. Engagement of counsel to direct and control these assessments may be prudent to protect confidentiality to the extent possible and increase compliance.
The California attorney general issued proposed regulations for the CCPA on October 10, 2019. The proposed regulations are pending public comment through December 6, 2019. As part of the rulemaking process, the California attorney general will then decide whether any modifications should be made to the proposed regulations before they become final. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which takes effect on January 1, 2020.
Please visit our CCPA Resource Center for more information and the latest updates.
The Morgan Lewis privacy team is providing practical privacy advice to more than 100 businesses on compliance with the CCPA, the newly proposed regulations, and how to accept requests. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers:
San Francisco
Carla Oakley
Michelle Park Chiu
Gene Park
Los Angeles
Joseph Duffy
Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis
Julian Williams
New York
Martin Hirschprung
Washington, DC
Dr. Axel Spies
[1] Cal. Civ. Code §§ 1798.100 et seq.
[2] Cal. Civ. Code § 1798.140(g).
[3] AB 25, signed by Governor Newsom on October 11, 2019, amended the CCPA to delay application of most of the CCPA in the employment context until January 1, 2021.
[4] Cal. Civ. Code § 1798.150.
[5] Cal. Civ. Code § 1798.100(b).
[6] Id.
[7] Id.
[8] CCPA Proposed Regulations, 11 C.C.R. §§ 999.300, 999.305(b).
[9] See generally Cal. Civ. Code § 1798.140.
[10] 11 C.C.R. §§ 999.305(a)(2); see also Cal. Civ. Code § 1798.185(a)(6) (authorizing the attorney general to promulgate rules to ensure that notices are easily understood, accessible, and in the language normally used).
[11] “Contractor” is defined as “a natural person who provides any service to a business pursuant to a written contract.” Cal. Civ. Code § 1798.145(h)(2)(A).
[12] Cal. Civ. Code § 1798.155(b).
[13] Cal. Civ. Code § 1798.185(c).
[14] Cal. Civ. Code § 1798.150.
[15] Id. (following a 30-day notice and cure period for most claims, consumers may bring actions to recover damages in an amount not less than $100 and not greater than $750 per consumer per incident, or actual damages, whichever is greater, along with injunctive or declaratory relief and any other relief the court deems proper).
[16] Cal. Civ. Code § 1798.140(c).
[17] Id.
[18] Cal. Civ. Code § 1798.145(c)-(g).
[19] Cal. Civ. Code § 1798.145(a)-(b).