On January 1, 2020, the California Consumer Privacy Act (CCPA), a consumer-friendly privacy law inspired by the European Union’s General Data Protection Regulation, is set to take effect. The CCPA is aimed towards bolstering consumers’ privacy rights by instituting notice, storage, retention, security, and other requirements related to collecting consumers’ personal information.
Although the CCPA is expressly directed at consumer privacy, it also has implications for employment-related data. Because the CCPA defines “personal information” broadly, courts may interpret that term to cover many categories of data collected from employees, applicants, directors, contractors, or other personnel.
California’s Legislature has provided some relief through Assembly Bill 25, which delays most of the CCPA’s application to employers until January 1, 2021. This suggests that the Legislature anticipates passing an employer-specific information privacy law in 2020. However, employers should be aware that, on January 1, 2020, the two provisions described below – governing data collection notice requirements and security breaches – will take effect for covered employers.
Only Certain Employers Are Covered by the CCPA
As a threshold issue, employers should determine whether they are covered by the CCPA. To fall within the CCPA’s coverage, a for-profit business must meet only one of the following criteria: (1) annual gross revenues exceeding $25 million; (2) annual purchase, receipt for the business’s commercial purposes, sale, or sharing for commercial purposes, alone or in combination, of the personal information of 50,000 or more consumers, households, or devices; or (3) 50% or more of annual revenues derived from selling consumers’ personal information.
Any business (including a nonprofit) that does not directly meet one of the above-listed criteria may still be covered if it (1) controls or is controlled by, and (2) shares common branding with, a company meeting one of the criteria.
Covered Employers Must Provide Notice Regarding Data Collection, and May Be Liable for Statutory Damages for Any Security Breach
Although Assembly Bill 25 delayed most of the CCPA’s requirements for employers until 2021, the following two provisions will take effect on January 1, 2020.
- Notice to Employees, Applicants, and Contractors Regarding Data Collection
Effective January 1, 2020, the CCPA requires employers to notify applicants, employees, directors, contractors, and other personnel of “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.”
“Personal information” is defined broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of “personal information” frequently collected by employers include contact information, Social Security numbers, education history, employment history, bank account numbers, financial information, medical information, insurance information, emergency contacts, family and dependent information, information used to administer benefits programs, photographs or recordings, biometric information, internet or computer activity records, and other information concerning workers’ activities or performance.
In the event an employer intends to use previously collected personal information for a previously undisclosed purpose, the CCPA also requires new notice to affected individuals. So, for example, if an employer takes photographs of employees for their security badges, but later intends to post a photo of an employee with the employee’s name on the employer’s website, the employer must ensure the employees were properly notified that their photographs could be used for those purposes.
- Employers Are Liable for Certain Security Breaches
Effective January 1, 2020, the CCPA also establishes employer liability for certain security breaches concerning the personal information of employees, applicants, contractors, or other personnel. In the event of such a breach, each affected individual can recover between $100 and $750 in statutory damages.
To be actionable under the CCPA, an information security breach must meet the following criteria:
- The breach must involve the “unauthorized access and exfiltration, theft, or disclosure” of, in combination with an individual’s first name or initial and last name, the individual’s: (a) Social Security number; (b) driver’s license number or California identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (d) medical information; or (e) health insurance information. In the event of a qualifying breach, the employer must notify affected individuals and, if more than 500 California residents are involved, also notify California’s Attorney General.
- The breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The CCPA does not define “reasonable security procedure and policies,” but California’s Attorney General provided some guidance in its February 2016 California Data Breach Report.
To recover statutory damages for a covered breach on an individual or class-wide basis, affected individuals must provide 30 days’ written notice to the business and an opportunity to cure any alleged information security failure. If the business timely cures the alleged failure and “provides the consumer an express written statement that the violations have been cured and that no further violations will occur,” the affected individual is no longer eligible to receive statutory damages.
What Does This Mean for Employers?
The CCPA’s notice provisions reinforce the need to clearly explain to employees, applicants, directors, contractors, and other personnel the purposes for which their information is being collected and for which it will be used. This counsels for review of all online and hard-copy forms used to collect personal information, such as employment applications, new hire paperwork, benefits enrollment materials, and other documents. Moreover, employers may want to develop a general privacy notice for new hires explaining what categories of data will be collected from them in the course of their employment and how the data will be used.
Employers should also review and update their internal policies concerning the collection and use of personal information, and train employees regarding these requirements. Any policies and trainings should be designed to prevent (1) the collection of personal information without compliant notice regarding the purpose and use of that information, and (2) using previously collected personal information for a new, undisclosed purpose without following the notice requirements. In particular, employers may want to provide training regarding what types of information are covered by the CCPA, as the definition is much broader than many would think.
The CCPA’s security breach provisions will substantially increase the risk to employers for handling the personal information of employees, applicants, directors, contractors, and other personnel. Before the CCPA, many security breach class actions were unsuccessful because individuals could not adequately demonstrate that they were harmed by the breach. Now that the CCPA includes statutory damages of $100 to $750 per affected individual, even a small breach could result in substantial exposure. Thus, employers should carefully review their information security policies and procedures to reduce the risk of a security breach of employees’, applicants’, directors’, contractors’, and others’ personal information.