Employee rights to data access and deletion under the CCPA

When the California Consumer Privacy Act (the CCPA) was enacted in June 2018, many businesses that operate globally were alarmed by the implied rights granted to employees to request disclosure of information contained in personnel files and to have that information deleted. Among the many amendments proposed to the CCPA in recent months, AB25 was initially designed to correct this expansion of employee access and control. With input from organized labor, AB25 has since been scaled back and the California State Assembly appears to have reached a decision that provides some clarification and limited – albeit temporary – relief to employers. According to the new amendment, the CCPA’s definition of “personal information” will not apply to:

Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. (Emphasis added.)

While this contemplated revision to the CCPA provides some breathing room to employers, the following limitation should be kept in mind:

Exemption is temporary: This proposed exemption for employee data is explicitly temporary. It will expire on Jan. 1, 2021, unless extended. In the meantime, interested parties, including businesses and organized labor, are expected to work together to develop an agreed-on long-term solution to the treatment of employee data.

Private right of action for security breach remains: The exemption granted under AB25 does not apply to the CCPA’s private right of action following a data breach resulting from a business’s failure to implement reasonable security measures. This means that employees, like other California consumers, are entitled to bring a lawsuit seeking CCPA statutory damages following a breach.

Advance disclosure of collection practices still required. Businesses will still be required to disclose to employees and job applicants, at the time or before the personal information is collected, the categories of personal information they collect and the purposes for which they use that information. This disclosure requirement goes into effect Jan. 1, 2020.

If passed, what does AB25 mean for employers trying to comply with the CCPA in connection with personnel-related data? We recommend the following:

1. Segregate data. To the extent employees interact with your company as a “consumer,” consumer data should be kept separately. That individual will still have access and deletion rights in connection with nonemployment-related data.

2. Update disclosures for applicants. Businesses continue to have obligations under the CCPA to disclose to potential applicants the categories of personal information to be collected and the purposes for which the categories will be used BEFORE such data is collected. This may involve revisions to the company’s public-facing privacy policy if recruiting occurs online, as well as other documentation used for recruiting purposes.

3. Update employee onboarding materials. future employees and independent contractors will be entitled to know the types of information their employers will be collecting about them. These updates may be made in the employee handbook or other onboarding materials, as applicable.

4. Update security procedures related to employee and applicant data. AB25 does not negate an employer’s obligation to implement and maintain reasonable security procedures under the CCPA. The private right of action afforded to all California consumers, including employees, may make a data breach under the CCPA extremely costly, so it is critical to ensure that employee data is afforded the same security protections required for all personal information under the CCPA.

5. Continue to prepare for employee access deletion requests – just in case: Because of the broad support of AB25 and the input from both the business community and organized labor, most expect AB25 to become law. However, if it is not passed by the California State Legislature before Sept. 13, 2019, businesses should consider that California employee data may be treated as “in scope” of current CCPA consumer information requirements. In addition, should a permanent compromise not be reached, businesses must be prepared for access and deletion requests for employee data beginning on Jan. 1, 2021.