Employee rights to data access and deletion under the CCPA
When the California Consumer Privacy Act (the CCPA) was enacted in June 2018, many businesses that operate globally were alarmed by the implied rights granted to employees to request disclosure of information contained in personnel files and to have that information deleted. Among the many amendments proposed to the CCPA in recent months, AB25 was initially designed to correct this expansion of employee access and control. With input from organized labor, AB25 has since been scaled back and the California State Assembly appears to have reached a decision that provides some clarification and limited – albeit temporary – relief to employers. According to the new amendment, the CCPA’s definition of “personal information” will not apply to:
Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. (Emphasis added.)
While this contemplated revision to the CCPA provides some breathing room to employers, the following limitation should be kept in mind:
Exemption is temporary: This proposed exemption for employee data is explicitly temporary. It will expire on Jan. 1, 2021, unless extended. In the meantime, interested parties, including businesses and organized labor, are expected to work together to develop an agreed-on long-term solution to the treatment of employee data.
Private right of action for security breach remains: The exemption granted under AB25 does not apply to the CCPA’s private right of action following a data breach resulting from a business’s failure to implement reasonable security measures. This means that employees, like other California consumers, are entitled to bring a lawsuit seeking CCPA statutory damages following a breach.
Advance disclosure of collection practices still required. Businesses will still be required to disclose to employees and job applicants, at the time or before the personal information is collected, the categories of personal information they collect and the purposes for which they use that information. This disclosure requirement goes into effect Jan. 1, 2020.
If passed, what does AB25 mean for employers trying to comply with the CCPA in connection with personnel-related data? We recommend the following:
1. Segregate data. To the extent employees interact with your company as a “consumer,” consumer data should be kept separately. That individual will still have access and deletion rights in connection with nonemployment-related data.
3. Update employee onboarding materials. future employees and independent contractors will be entitled to know the types of information their employers will be collecting about them. These updates may be made in the employee handbook or other onboarding materials, as applicable.
4. Update security procedures related to employee and applicant data. AB25 does not negate an employer’s obligation to implement and maintain reasonable security procedures under the CCPA. The private right of action afforded to all California consumers, including employees, may make a data breach under the CCPA extremely costly, so it is critical to ensure that employee data is afforded the same security protections required for all personal information under the CCPA.
5. Continue to prepare for employee access deletion requests – just in case: Because of the broad support of AB25 and the input from both the business community and organized labor, most expect AB25 to become law. However, if it is not passed by the California State Legislature before Sept. 13, 2019, businesses should consider that California employee data may be treated as “in scope” of current CCPA consumer information requirements. In addition, should a permanent compromise not be reached, businesses must be prepared for access and deletion requests for employee data beginning on Jan. 1, 2021.
InsightNew DOD requirements – supply chain, risk management, and Cybersecurity Maturity Model CertificationKristen Soles, Bhavesh VadhaniAs the number of ingress and egress points to applications and networks expands, cybercriminals are discovering new gateways to exploit government contractors and agencies. The supply chain is especially vulnerable: Attacks on global supply chains soared 78% in 2018, according to a recent report by Symantec Corp.
InsightIs Your Company Regulated Under the CCPA?Alison Bird, Judy SelbyAs the anticipated Jan. 1, 2020, effective date of the California Consumer Privacy Act (CCPA) draws closer, determining whether a company falls under its mandates is of critical importance.
InsightAs Technologies Let Buildings Speak, Owners Wonder: ‘Who Else Is Listening?’While tools like virtual assistants and digital heating systems promise energy savings, operational efficiency, tenant satisfaction, and financial optimization, they also come with a set of concerns around privacy infringement and cyber risks.
InsightFinance Executives See Automation, Technology, and Analytics as Key Drivers of GrowthIn these days of big data, predictive analytics, and digital transformation, the influence of finance executives is expanding as their responsibilities transcend traditional accounting and reporting activities.
InsightFTC Cybersecurity Proposals Introduce Daunting Compliance Burdens for Financial InstitutionsThe Federal Trade Commission (FTC) has proposed changes to the cybersecurity and privacy rules under the Gramm-Leach-Bliley Act (GLBA) that will bring additional compliance mandates for financial institutions.