Labor groups concerned about employee privacy have succeeded in slowing the effort to pass legislation exempting employer-held information from the California Consumer Privacy Act ("CCPA"). Thanks to their intervention, the proposed legislation – AB 25 – has been revised to provide that the CCPA will apply to personal information of employees and other personnel, but – with two key exceptions – not until January 1, 2021.
AB 25 as it stands now
In the form passed by the California State Assembly, AB 25 would have completely exempted from the CCPA personal information of employees, job applicants, contractors and agents collected and used in the context of HR administration. However, the bill was modified in the Senate Judiciary Committee to address the labor groups' concerns. In its current form, AB 25 would exempt for one year – until January 1, 2021 – most CCPA requirements relating to personal information of:
- a business's job applicants, employees, officers, directors, owners with a controlling interest, and contractors (as well as certain licensed doctors, dentists and podiatrists) who are California residents ("California Personnel");
- the emergency contacts of any California Personnel that a business collects and uses solely to keep emergency contacts on file; and
- beneficiaries and other individuals associated with California Personnel that a business collects and uses solely to administer benefits.
This grace period, however, does not apply to:
- the requirement to give a privacy notice to California Personnel at or before the point of collection of their personal information (e.g., on web pages collecting job applications, during employee on-boarding), or
- the private right of action for data breaches resulting from the failure to implement and maintain reasonable security measures.
After the grace period expires on January 1, 2021, businesses would be bound by all of the CCPA's requirements in the HR context, including the obligation to give rejected job applicants or terminated employees access to potentially sensitive internal feedback and correspondence about them.
What should businesses do now?
AB 25 remains under consideration by the California Senate and may be further amended before the legislature adjourns in September, but the prospect of an outright HR data exemption now appears dim. Accordingly, businesses should:
- cover HR data in their data mapping efforts to ensure they have the information needed to give accurate privacy notices to their California Personnel;
- reserve sufficient time to prepare and deliver privacy notices to California Personnel by January 1, 2020, in the event that the current draft of AB 25 is enacted;
- be aware that weaknesses in the security safeguards applied to HR data may increase the risk of costly class action data breach litigation; and
- remember that job applicant and employee review documentation generated during the one year grace period may become discoverable by California applicants and employees who exercise their CCPA access rights starting in 2021.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.