When the California Consumer Privacy Act (the CCPA) was enacted in June 2018, many businesses that operate globally were alarmed by the implied rights granted to employees to request disclosure of information contained in personnel files and to have that information deleted. Among the many amendments proposed to the CCPA in recent months, AB25 was initially designed to correct this expansion of employee access and control. With input from organized labor, AB25 has since been scaled back and the California State Assembly appears to have reached a decision that provides some clarification and limited – albeit temporary – relief to employers. According to the new amendment, the CCPA’s definition of “personal information” will not apply to:
Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. (Emphasis added.)
While this contemplated revision to the CCPA provides some breathing room to employers, the following limitation should be kept in mind:
Exemption is temporary: This proposed exemption for employee data is explicitly temporary. It will expire on Jan. 1, 2021, unless extended. In the meantime, interested parties, including businesses and organized labor, are expected to work together to develop an agreed-on long-term solution to the treatment of employee data.
Private right of action for security breach remains: The exemption granted under AB25 does not apply to the CCPA’s private right of action following a data breach resulting from a business’s failure to implement reasonable security measures. This means that employees, like other California consumers, are entitled to bring a lawsuit seeking CCPA statutory damages following a breach.
Advance disclosure of collection practices still required. Businesses will still be required to disclose to employees and job applicants, at the time or before the personal information is collected, the categories of personal information they collect and the purposes for which they use that information. This disclosure requirement goes into effect Jan. 1, 2020.
If passed, what does AB25 mean for employers trying to comply with the CCPA in connection with personnel-related data? We recommend the following:
1. Segregate data. To the extent employees interact with your company as a “consumer,” consumer data should be kept separately. That individual will still have access and deletion rights in connection with nonemployment-related data.
3. Update employee onboarding materials. future employees and independent contractors will be entitled to know the types of information their employers will be collecting about them. These updates may be made in the employee handbook or other onboarding materials, as applicable.
4. Update security procedures related to employee and applicant data. AB25 does not negate an employer’s obligation to implement and maintain reasonable security procedures under the CCPA. The private right of action afforded to all California consumers, including employees, may make a data breach under the CCPA extremely costly, so it is critical to ensure that employee data is afforded the same security protections required for all personal information under the CCPA.
5. Continue to prepare for employee access deletion requests – just in case: Because of the broad support of AB25 and the input from both the business community and organized labor, most expect AB25 to become law. However, if it is not passed by the California State Legislature before Sept. 13, 2019, businesses should consider that California employee data may be treated as “in scope” of current CCPA consumer information requirements. In addition, should a permanent compromise not be reached, businesses must be prepared for access and deletion requests for employee data beginning on Jan. 1, 2021.
InsightREAL ESTATE: How coronavirus will shape the smart workplaces of the futureVincent DermodyIn a post-pandemic world, office building design priorities will need to shift from function to the purpose of the space and the behavior of the people occupying it.
InsightRISK MANAGEMENT: As coronavirus spreads, factor cybersecurity into remote-work policiesShahryar ShaghaghiEfforts to limit coronavirus contagion have upended global commerce and shifted operating models in ways that are intensifying IT risks.
InsightRISK MANAGEMENT: Companies need proactive, continuous contingency planningThe COVID-19 outbreak should serve as a driver to increase organizational efforts related to contingency planning for all organizations and their vendors.
InsightA place for humans in real estate data architectureThe people living and working within a building’s four walls not only generate data, but they also bring it to life. Without people occupying and using its spaces, a physical building provides significantly less usable information on its own. No people equates to no leasing information, no occupancy data, no utility usage, no foot traffic reads, no sales generated, no amenities needed, no services provided, no maintenance requests, no qualitative feedback given.
InsightGet the basics: The DOD's new CMMC StandardBhavesh VadhaniHere’s what to know about the Cybersecurity Maturity Model Certification (CMMC) and how to prepare to comply with it.