Employee rights to data access and deletion under the CCPA
When the California Consumer Privacy Act (the CCPA) was enacted in June 2018, many businesses that operate globally were alarmed by the implied rights granted to employees to request disclosure of information contained in personnel files and to have that information deleted. Among the many amendments proposed to the CCPA in recent months, AB25 was initially designed to correct this expansion of employee access and control. With input from organized labor, AB25 has since been scaled back and the California State Assembly appears to have reached a decision that provides some clarification and limited – albeit temporary – relief to employers. According to the new amendment, the CCPA’s definition of “personal information” will not apply to:
Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. (Emphasis added.)
While this contemplated revision to the CCPA provides some breathing room to employers, the following limitation should be kept in mind:
Exemption is temporary: This proposed exemption for employee data is explicitly temporary. It will expire on Jan. 1, 2021, unless extended. In the meantime, interested parties, including businesses and organized labor, are expected to work together to develop an agreed-on long-term solution to the treatment of employee data.
Private right of action for security breach remains: The exemption granted under AB25 does not apply to the CCPA’s private right of action following a data breach resulting from a business’s failure to implement reasonable security measures. This means that employees, like other California consumers, are entitled to bring a lawsuit seeking CCPA statutory damages following a breach.
Advance disclosure of collection practices still required. Businesses will still be required to disclose to employees and job applicants, at the time or before the personal information is collected, the categories of personal information they collect and the purposes for which they use that information. This disclosure requirement goes into effect Jan. 1, 2020.
If passed, what does AB25 mean for employers trying to comply with the CCPA in connection with personnel-related data? We recommend the following:
1. Segregate data. To the extent employees interact with your company as a “consumer,” consumer data should be kept separately. That individual will still have access and deletion rights in connection with nonemployment-related data.
3. Update employee onboarding materials. future employees and independent contractors will be entitled to know the types of information their employers will be collecting about them. These updates may be made in the employee handbook or other onboarding materials, as applicable.
4. Update security procedures related to employee and applicant data. AB25 does not negate an employer’s obligation to implement and maintain reasonable security procedures under the CCPA. The private right of action afforded to all California consumers, including employees, may make a data breach under the CCPA extremely costly, so it is critical to ensure that employee data is afforded the same security protections required for all personal information under the CCPA.
5. Continue to prepare for employee access deletion requests – just in case: Because of the broad support of AB25 and the input from both the business community and organized labor, most expect AB25 to become law. However, if it is not passed by the California State Legislature before Sept. 13, 2019, businesses should consider that California employee data may be treated as “in scope” of current CCPA consumer information requirements. In addition, should a permanent compromise not be reached, businesses must be prepared for access and deletion requests for employee data beginning on Jan. 1, 2021.
InsightThe CCPA requires ‘reasonable security.’ What exactly does that mean?Shahryar ShaghaghiOn Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA.
Press ReleaseCohnReznick expands Cybersecurity and Privacy Practice; Forms Privacy Advisory GroupCohnReznick LLP, one of the leading advisory, assurance, and tax firms in the United States, announces a strategic expansion of its Cybersecurity and Privacy practice with the establishment of the Privacy Advisory Group.
On-demandCalifornia Consumer Privacy Act (CCPA) UpdateAlison Bird, Judy Selby, Shahryar ShaghaghiWith only weeks remaining before its January 1, 2020 effective date, and the passage of recent amendments, the final version of the CCPA has come into shape. Join CohnReznick as we discuss how to utilize these remaining weeks to get CCPA ready.
On-demandHow to effectively align your cybersecurity program to your business strategyShahryar Shaghaghi, Doug Grindstaff, Greg WitteAs cyber-attacks and data breaches continue to make headlines and shake whole industries, organizations are learning that an effective cybersecurity program must be aligned with the company’s business strategy and board expectations. Strategic alignment needs to occur between the board, the infrastructure investment, and the actions being taken at the very front lines of the organization.
InsightNew Nevada privacy requirements go into effect Oct. 1Alison Bird, Judy SelbyWhile the California Consumer Privacy Act (CCPA) has attracted a lot of media attention, when it comes to privacy compliance, companies selling consumer information should keep their eye on the state of Nevada. Beginning on Oct. 1, 2019, amendments to NRS 603(A), Nevada’s existing privacy law, will allow consumers to direct operators of internet websites and online service providers to refrain from selling consumers’ personal information.