To qualify for the employee exemption, personal information must be collected and used solely for employment purposes.
California has enacted the California Consumer Privacy Act of 2018 (CCPA), establishing the strictest data privacy law in the United States. Although a California law, it applies to many businesses outside the state that meet the qualifying criteria and collect personal information from residents of California. Recent amendments provide a one-year partial exemption for personal information that is collected from job applicants, employees, business owners, directors, officers, medical staff or contractors. However, qualifying employers are still required to provide certain disclosures regarding their collection and use of employee data and are still liable for statutory damages if unencrypted, sensitive employee data is breached as a result of a failure to implement reasonable security measures.
What Is the CCPA?
The CCPA has extensive disclosure requirements and provides consumers with the right to know what personal information is collected, the purposes for which it will be used, to whom it is sold or disclosed, the right to opt-out of the sale of personal information, the right to access their personal information and (with some exceptions) and the right to delete their personal information. It also includes the right to bring a private right of action seeking either statutory or actual damages in the event the consumer's unencrypted, sensitive information is subject to unauthorized access, theft or disclosure as a result of a business' violation of its duty to implement and maintain reasonable security measures. "Personal information" is broadly defined as information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Who Is Covered Under the CCPA?
The CCPA does not cover all businesses. It applies to for-profit entities doing business in California, that collect personal information from California residents and meets one of the three criteria:
- Annual gross revenue in excess of $25 million; or
- Alone or in combination, annually buy, receive, sell or share for commercial purpose the personal information of more the 50,000 consumers, households or devices; or
- Derive 50 percent or more of annual revenue from the sale of personal information.
It also applies to any entity that controls or is controlled by a covered business and shares common branding of that business, e.g., shared name, service mark or trademark.
Partial Exemption for Employee Personal Information
The amendments enacted in October 2019 provide a limited employee exemption for the first year of the law's implementation. For the most part, this employee exemption covers personal information that is collected from "employees"―which also includes job applicants, business owners, directors, officers, medical staff or contractors―including emergency contact information and information regarding beneficiaries. For example, employees will not have the right under the CCPA to access or request deletion of their personnel records. To qualify for the employee exemption, personal information must be collected and used solely for employment purposes.
However, there are two rights that were carved out of this exemption: (i) employers must provide an initial disclosure to all employees at or prior to the point of collection, and (ii) employees still have a right to statutory damages in the event of a data breach. These rights will apply to any businesses with employees in California that meet the qualifying criteria.
A business remains obligated to inform California employees, at or before the point of collection, the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Because data collection and use for employee data differs significantly from consumer data, employers will likely need to prepare a separate employee disclosure to comply with this requirement (in addition to any required consumer disclosures). Employers also need to look at their recruiting tools to ensure that this disclosure is made before they receive any information from applicants.
Rights for Breach
The CCPA gives consumers a private right of action against businesses in the event the consumer's unencrypted data is subject to unauthorized access, theft or disclosure as a result of a business' violation of its duty to implement and maintain reasonable security measures. Consumers can seek either statutory damages up to $750 per person, per incident, or actual damages. While this number appears small when viewed on an individual level, the size of recent data breaches may subject businesses to significant monetary damages.
The employee exemption does not apply to this private right of action or statutory damage provision.
Having a robust information security program for employee data and sufficient contract provisions with service providers handling this data will be essential for any businesses defending these claims.
The employee exception has a sunset provision, ending on January 1, 2021. Unless further amended, all CCPA rights will extend to employees on that date.
What Employers Need to Do
- Determine whether the CCPA applies to your business.
- Inform key decision-makers about the CCPA and appoint a privacy compliance manager.
- Conduct data mapping to identify all employee personal information that the organization collects and the business purpose for the collection and use of such information.
- Draft an employee-specific disclosure document.
- Ensure that the employee disclosure is provided at or prior to the collection of employee personal information (including all applicants).
- Ensure that all contracts with service providers who have access to employee personal information include robust information security and privacy provisions.
- Ensure compliance with other privacy, security and data protection and disposal laws.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.