Insights
Publications

Employee Data under the CCPA: Expiration of Employer Exemptions Requires Compliance as of January 1, 2023

October 4, 2022 Blog
Privacy Blog

Since the California Consumer Privacy Act (“CCPA”) was passed in 2018, employers have been watching carefully to see how the law will apply to data collected and maintained about their employees. Up until now, employment data had been exempted from most of the CCPA’s requirements. But the new amendments to the CCPA embodied in the California Privacy Rights Act (“CPRA”) come into effect on January 1, 2023, and that, coupled with the fact that the legislature failed to extend the employer exemptions, means that many categories of human resources data will be subject to the requirements of the law.

The Current CCPA Employer Exemptions Are Expiring

As it stands (and through the end of 2022), covered employers are only obligated to notify employees of the categories of data being collected and the purposes for which the data will be used. In the event of a security breach involving employee data, employers are required to notify affected individuals and could be liable for statutory damages. In response to these requirements, most covered employers developed privacy notices with the required disclosures and reviewed their data security policies and protocols to ensure consistency with best practices.

But starting in 2023, employee data will be treated as any other commercial information, and covered employers will need to add employee and human resources data to their ongoing compliance efforts. Indeed, under the CCPA, “personal information” is defined broadly to include information that “identifies, relates to, describes, is reasonably associated with, or could reasonably be linked, directly or indirectly, with a particular consumer household.” Cal. Civ. Code § 1798.140(o)(1). In the employee or human resources context, personal information could include an employee’s contact information, insurance and benefits elections, bank and direct deposit information, emergency contacts, dependents, resume and employment history, performance evaluations, wage statements, time punch records, stock and equity grants, compensation history, and many other forms of data routinely collected in the context of the employment relationship. Moreover, the CPRA introduces a new concept of “sensitive personal information” (such as financial information, social security numbers, communications content, health information, and biometrics) that must be considered and addressed by the employer.

New Requirements Take Effect in 2023

So what does this mean for employers? First, employers must prepare and provide a privacy notice to an employee (or a job applicant since such applicant is likely providing personal information) at or before the time personal information is collected. This could mean including a privacy policy (and a click-through mechanism) on any online application site, in the employee handbook, and/or on internal websites. The privacy policy is likely to be similar to the online privacy policy the employer includes for consumers, though it will need to be revised to accurately reflect the categories of personal information collected (along with the length of time the employer intends to retain data in each category), as well as the categories of third parties with whom such information will be shared (e.g., payroll service providers, etc.).

Read the full Privacy blog post with key takeaways here.

Firm Highlights

Publication

How Companies Can Stop Trade Secret Disclosure in California

When an executive, founder, or employee with access to trade secrets or confidential information leaves a company to work elsewhere, employer trade secrets might be used by a competitor. Under two laws, California’s Uniform...

Read More
News

50 Farella Lawyers in 2023 The Best Lawyers in America® and the Best Lawyers: Ones to Watch in America™; 4 Lawyer of the Year Awards

Read More
News

Farella Braun's Doug Dexter on New ABA Role

Doug Dexter was recently elected chair of the American Bar Association’s (ABA) Labor and Employment Law Section. He spoke to Law360 about his plans for the role, issues affecting labor and employment lawyers, and his...

Read More
News

New Law Will Expand Pay Transparency Requirements in California

Holly Sutton and Hillary Marks spoke to The Recorder about California's pay transparency act, SB 1162, for the article "New Law Will Expand Pay Transparency Requirements in California." Read the article here  (subscription required...

Read More
Publication

California Extends COVID-19 Leave Through December 31, 2022

Governor Gavin Newsom has signed AB 152 into law, extending Supplemental Paid Sick Leave (“SPSL”) through December 31, 2022. SPSL, which requires California employers with over 26 employees to provide up to 80 hours paid...

Read More
News

Farella Braun + Martel Earns 2023 U.S. News – Best Lawyers® "Best Law Firms" Rankings

Read More
Publication

California Extends Presumption of COVID-19 as Workers’ Compensation Injury and Modifies Notice Requirements for Potential Exposure

In addition to AB 152 extending COVID-19 leave through December 31, 2022 , Governor Gavin Newsom has also signed into law two other COVID-related bills—AB 1751 and AB 2693—affecting employers’ policies regarding employees who...

Read More
News

Farella’s Doug Dexter Elected Chair of the ABA’s Labor and Employment Law Section

Doug Dexter headshot
Read More
Publication

California’s AB2188 Now Prohibits Employee Discipline for Off-Duty Marijuana Use

A new law in California will significantly change the way employers can address employees’ marijuana use. While prior law made clear that employers could terminate employees for off-duty marijuana use, a new bill prevents...

Read More
Publication

What California’s Pay Transparency Law May Mean for You

California Gov. Gavin Newsom has signed a new pay transparency act that will require significant changes in how employers draft job postings and how they report pay data to the state. Given the scope...

Read More