Employee rights to data access and deletion under the CCPA
When the California Consumer Privacy Act (the CCPA) was enacted in June 2018, many businesses that operate globally were alarmed by the implied rights granted to employees to request disclosure of information contained in personnel files and to have that information deleted. Among the many amendments proposed to the CCPA in recent months, AB25 was initially designed to correct this expansion of employee access and control. With input from organized labor, AB25 has since been scaled back and the California State Assembly appears to have reached a decision that provides some clarification and limited – albeit temporary – relief to employers. According to the new amendment, the CCPA’s definition of “personal information” will not apply to:
Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. (Emphasis added.)
While this contemplated revision to the CCPA provides some breathing room to employers, the following limitation should be kept in mind:
Exemption is temporary: This proposed exemption for employee data is explicitly temporary. It will expire on Jan. 1, 2021, unless extended. In the meantime, interested parties, including businesses and organized labor, are expected to work together to develop an agreed-on long-term solution to the treatment of employee data.
Private right of action for security breach remains: The exemption granted under AB25 does not apply to the CCPA’s private right of action following a data breach resulting from a business’s failure to implement reasonable security measures. This means that employees, like other California consumers, are entitled to bring a lawsuit seeking CCPA statutory damages following a breach.
Advance disclosure of collection practices still required. Businesses will still be required to disclose to employees and job applicants, at the time or before the personal information is collected, the categories of personal information they collect and the purposes for which they use that information. This disclosure requirement goes into effect Jan. 1, 2020.
If passed, what does AB25 mean for employers trying to comply with the CCPA in connection with personnel-related data? We recommend the following:
1. Segregate data. To the extent employees interact with your company as a “consumer,” consumer data should be kept separately. That individual will still have access and deletion rights in connection with nonemployment-related data.
3. Update employee onboarding materials. future employees and independent contractors will be entitled to know the types of information their employers will be collecting about them. These updates may be made in the employee handbook or other onboarding materials, as applicable.
4. Update security procedures related to employee and applicant data. AB25 does not negate an employer’s obligation to implement and maintain reasonable security procedures under the CCPA. The private right of action afforded to all California consumers, including employees, may make a data breach under the CCPA extremely costly, so it is critical to ensure that employee data is afforded the same security protections required for all personal information under the CCPA.
5. Continue to prepare for employee access deletion requests – just in case: Because of the broad support of AB25 and the input from both the business community and organized labor, most expect AB25 to become law. However, if it is not passed by the California State Legislature before Sept. 13, 2019, businesses should consider that California employee data may be treated as “in scope” of current CCPA consumer information requirements. In addition, should a permanent compromise not be reached, businesses must be prepared for access and deletion requests for employee data beginning on Jan. 1, 2021.
InsightNot concerned about the CCPA? If you receive Personal Information from California businesses, you probably should be.Alison Bird, Judy SelbyAs the Jan. 1 effective date of the California Consumer Privacy Act (CCPA) gets closer, don’t make the potentially costly mistake of assuming it doesn’t apply to you. Though the CCPA directly covers entities that collect Personal Information from California consumers, those entities must pass certain CCPA requirements through to their “service providers.” A failure to be prepared for those requirements could put you at a serious competitive disadvantage.
InsightHarness the power of data analytics to optimize your internal audit functionToday’s chief audit executives face unique challenges stemming from the frenetic pace of market changes, emerging technologies, and other environmental dynamics.
InsightAligning IT risks with Enterprise Risk Management (ERM)An organization’s viability depends more than ever on its ability to maneuver a minefield of emerging risks. That’s a formidable challenge, particularly in an era in which cyberthreats can disrupt operations overnight and prompt a volley of questions from business leaders the next day.
InsightNew data privacy laws demand more proactive board oversightToday’s executives have plenty of reasons to worry about business risks. Chief among them is compliance with sweeping new privacy regulations that apply to organizations across industries and geographies.
InsightCCPA deadline looms: Three critical areas to prioritize by Jan. 1With the effective date of the California Consumer Privacy Act (CCPA) just weeks away, covered businesses are scrambling to meet the law’s wide-ranging requirements. These efforts are hampered by confusion around the CCPA and the recently proposed Attorney General implementing regulations. Nevertheless, businesses are still required to comply by the Jan. 1, 2020, deadline.