The California Consumer Privacy Act (CCPA), officially in effect since January 1, 2020, is slated for enforcement by the California Attorney General beginning on July 1. Although proposed regulations are not finalized, businesses that meet the statutory thresholds for revenue or amounts of consumer data collected are expected to be in compliance with the law, which grants California residents the right to access to their data, request deletion of their data, and opt-out of data trade transactions.
Although the law initially applied to all businesses and categories of data broadly, fortunately for California employers, a recent amendment exempts employers from most of the law’s requirements as it pertains to personal information collected about applicants, employees, and independent contractors in connection to employment. However, employers are still obligated to provide notice of data collection and may be held liable for data breaches that result from their failure to implement reasonable security measures to safeguard such sensitive data. Accordingly, California employers must make careful decisions about what kinds of personal information they will continue to collect, how they will store that information, and how they will notify workers and applicants of their data collection practices.
Only businesses that meet certain statutory thresholds must abide by its consumer privacy requirements. Covered businesses are defined as businesses that do business in California, collect the personal information of California residents, and satisfy one of the following criteria:
- Have annual gross revenues over $25 million,
- annually buy, receive, sell, or share personal information of 50,000 or more California residents, households or devices, or
- derive 50% or more of their annual revenue from selling the personal information of California residents.
Businesses that do not meet these statutory thresholds are not covered businesses for the purposes of CCPA and do not have any compliance obligations.
Data collected from California residents in their capacity as employees, applicants, and independent contractors is mostly exempted from the CCPA requirements. This exemption does not apply broadly to all personal information for any use. This exemption only applies to data that is collected in the employment context. Thus, data collected about an employee, applicant, or contractor in their capacity as a customer of the business is not within the scope of the exemption. Information collected by third parties for processing certain voluntary benefits like discount programs and other perks outside of the work context is also not within the scope of the exemption and is fully covered by the CCPA.
Currently, the law requires limited compliance from covered employers as it relates to employees’ personal information – (1) providing notice at the time of collection of personal information that explains what categories of information are being collected and for what purposes and (2) implementing reasonable security measures to prevent data breaches.
Under the CCPA, covered businesses that collect a consumer’s personal information must provide the individual with notice listing the categories of personal information collected and the purposes for which the information will be used. This notice must be “at or before the point of collection.” The current draft of the Attorney General’s proposed regulations provides important clarifications regarding business’ notice obligations. Although much of the focus of the law has been on digital privacy, its requirements apply to all circumstances when personal information is collected, including offline interactions in which businesses collect information from paper forms or other observations.
The notice must be presented in a way that is understandable to the consumer, using straightforward language and a form that draws the individual’s attention. Because the notice must be available in languages in which the businesses ordinarily provide contracts, employers with multilingual workplaces may be required to provide notice forms in multiple languages.
The regulations provide certain examples of forms of notice that may be acceptable under the statue, including:
- When information is collected online—a conspicuous link to the notice on the introductory page of the business’ website and all webpages where personal information is collected.
- When the information is collected offline—preprinted form notices or signage that directs individuals to the notice online.
- When a business collects personal information over the phone or in-person it may provide the notice orally.
The terms of the notice are binding on the business as personal information cannot be used for purposes that materially differ from what is disclosed on the notice. Furthermore, businesses cannot collect categories of personal information beyond what is disclosed. Thus, businesses that want to collect additional information or use the information already collected for additional purposes must issue new notices disclosing those practices.
Note that the CCPA employs a notice and choice model for consumer privacy protection. Thus, the focus is not on prohibiting the collection of any particular kind of information or any particular kind of practice related to the personal information that is collected. Instead, the CCPA requires covered businesses to provide notice and disclosure to individuals in certain circumstances so that they can make informed choices about their own personal information. Thus, to the extent that the CCPA constrains employers from collecting or processing any personal information about their employees, it stems from a lack of initial disclosure regarding the practice, not any statutory prohibition.
What Is Personal Information?
The statute defines “personal information” broadly to encompass all information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This may include a wide array of information that employers routinely collect or generate about employees, including names, addresses, usernames, IP addresses, email addresses, account names, SSNs, driver license numbers, passport numbers, characteristics of protected classifications, biometric information, electronic network activity information such as browser and search history, geolocation data, surveillance footage or audio, professional or employment-related information.
Consider that in the employment context, this definition of personal information may also implicate information contained in job applications, resumes, employment contracts, contact information, disciplinary records, performance review, identification badges, marketing materials, timekeeping data, results of background checks and drug tests, information used for payroll processing and benefits administration, and all footage or audio captured from any monitoring or surveillance systems in the workplace.
The CCPA establishes a duty for covered businesses to implement reasonable security procedures and practices to safeguard the personal information collected. The duty exists as to both physical documents and digitally stored information. The law also creates a civil cause of action for any consumer whose nonencrypted and nonredacted personal information is accessed and disclosed in a breach as a result of the business’ failure to implement such policies.
Accordingly, all covered businesses must assess whether their privacy policies and security measures are CCPA compliant. Unfortunately, the law does not clarify what “reasonable security procedures and practices” satisfy the CCPA duty to safeguard personal information. However, past publications by the state and industry standards can provide a useful measure for evaluating existing security procedures and policies. For example, in a 2016 report on data breaches the Attorney General’s Office endorsed the 20 controls identified in the Center for Internet Security’s Critical Security Controls, which it deemed a “minimum level of information security that all organizations that collect or maintain personal information should meet.” It also stated that the failure to implement that minimum level of security would constitute “a lack of reasonable security.” The report recommends the use of multi-factor authentication to protect critical systems and data, including on consumer-facing online accounts, and encourages the use of strong encryption on all devices.
The report recognized that while implementing the recommended measures does not guarantee the prevention of all breaches, it may “significantly reduce the risk and impact of the commonly occurring breaches.” Thus, while the CCPA does not directly incorporate the report in its mention of reasonable security measures, the language suggests that the state views the measures endorsed as “best practices” in information security. Businesses that follow its guidelines can be in a favorable position in the event of a breach.
COVID 19-Related Considerations
As businesses begin to reopen, employers’ attempts to ensure that employees are returning to a safe workplace may implicate CCPA obligations. Employers considering temperature checks or other health monitoring practices to prevent transmission in the workplace should be mindful of the fact that such practices lead to the collection of “personal information.” Accordingly, covered employees must be notified of the type of information (temperature, symptoms, etc.) being collected and what that information will be used for (ensuring a safe workplace by decreasing risk of transmission, contact tracing, notification of potentially affected individuals, etc.).
Although the EEOC has approved of temperature screening practices, employers must keep any information about employee diagnoses and symptoms private. Additionally, employers that turn to third party entities for health monitoring services may have certain HIPPA obligations if the provider is a covered entity. Employers may need employees to execute HIPPA-compliant authorization forms in order to obtain test results. In the event of a confirmed or suspected case in the workplace, an employer may be obligated to notify public health officials and other employees who may have been in contact with the affected individual. But employers should avoid revealing the identity of any individuals to the extent possible.
Note that related practices like contact tracing, whether done through digital means like proximity-tracking devices and smartphone applications or regular monitoring and self-reporting, will also implicate data collection disclosure requirements.
Businesses with remote workers may be also considering implementing keylogging and spyware solutions to keep track of employee work and productivity. Such solutions result in the collection of personal information like network activity which is within the scope of the CCPA’s disclosure requirement.
- Consider data mapping. As the enforcement date nears, consider data mapping all of your employee data to keep track of what information you have in your records, what information you collect, when and where the information is collected, where it is stored, how the information is used, and who has access to that information. Use this as guidance for drafting a disclosure to employees and applicants to be presented at all points of collection, including online and offline interactions.
- Be on the lookout for finalized regulations that may provide further guidance on compliance and shed light on any ambiguities.
- Be ready for full compliance if the exemption expires. While employers are currently exempted from many of the law’s requirements, the exemption is set to expire at the end of the year. If the legislature does not address data privacy in the employment context specifically by the end of the year, employers will be responsible for fully complying with all of the CPPA provisions regarding notice, disclosure, right to delete, and right to opt-out. Consider that under the CCPA, a business must respond to a consumer request for their data by disclosing all information collected about the individual in the previous 12-month period. Thus, any information collected about employees this year may later be subject to disclosure if or when the employer exemption expires.