Insights
Publications

What Employers Should Know About the California Consumer Privacy Act Taking Effect January 1, 2020

October 2, 2019 Articles

On January 1, 2020, the California Consumer Privacy Act (CCPA), a consumer-friendly privacy law inspired by the European Union’s General Data Protection Regulation, is set to take effect. The CCPA is aimed towards bolstering consumers’ privacy rights by instituting notice, storage, retention, security, and other requirements related to collecting consumers’ personal information.

Although the CCPA is expressly directed at consumer privacy, it also has implications for employment-related data. Because the CCPA defines “personal information” broadly, courts may interpret that term to cover many categories of data collected from employees, applicants, directors, contractors, or other personnel.

California’s Legislature has provided some relief through Assembly Bill 25, which delays most of the CCPA’s application to employers until January 1, 2021. This suggests that the Legislature anticipates passing an employer-specific information privacy law in 2020. However, employers should be aware that, on January 1, 2020, the two provisions described below – governing data collection notice requirements and security breaches – will take effect for covered employers.

Only Certain Employers Are Covered by the CCPA

As a threshold issue, employers should determine whether they are covered by the CCPA. To fall within the CCPA’s coverage, a for-profit business must meet only one of the following criteria: (1) annual gross revenues exceeding $25 million; (2) annual purchase, receipt for the business’s commercial purposes, sale, or sharing for commercial purposes, alone or in combination, of the personal information of 50,000 or more consumers, households, or devices; or (3) 50% or more of annual revenues derived from selling consumers’ personal information.

Any business (including a nonprofit) that does not directly meet one of the above-listed criteria may still be covered if it (1) controls or is controlled by, and (2) shares common branding with, a company meeting one of the criteria.

Covered Employers Must Provide Notice Regarding Data Collection, and May Be Liable for Statutory Damages for Any Security Breach

Although Assembly Bill 25 delayed most of the CCPA’s requirements for employers until 2021, the following two provisions will take effect on January 1, 2020.

  1. Notice to Employees, Applicants, and Contractors Regarding Data Collection

Effective January 1, 2020, the CCPA requires employers to notify applicants, employees, directors, contractors, and other personnel of “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.”

“Personal information” is defined broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of “personal information” frequently collected by employers include contact information, Social Security numbers, education history, employment history, bank account numbers, financial information, medical information, insurance information, emergency contacts, family and dependent information, information used to administer benefits programs, photographs or recordings, biometric information, internet or computer activity records, and other information concerning workers’ activities or performance.

In the event an employer intends to use previously collected personal information for a previously undisclosed purpose, the CCPA also requires new notice to affected individuals. So, for example, if an employer takes photographs of employees for their security badges, but later intends to post a photo of an employee with the employee’s name on the employer’s website, the employer must ensure the employees were properly notified that their photographs could be used for those purposes.

  1. Employers Are Liable for Certain Security Breaches

Effective January 1, 2020, the CCPA also establishes employer liability for certain security breaches concerning the personal information of employees, applicants, contractors, or other personnel. In the event of such a breach, each affected individual can recover between $100 and $750 in statutory damages.

To be actionable under the CCPA, an information security breach must meet the following criteria:

  1. The breach must involve the “unauthorized access and exfiltration, theft, or disclosure” of, in combination with an individual’s first name or initial and last name, the individual’s: (a) Social Security number; (b) driver’s license number or California identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (d) medical information; or (e) health insurance information. In the event of a qualifying breach, the employer must notify affected individuals and, if more than 500 California residents are involved, also notify California’s Attorney General.
  2. The breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The CCPA does not define “reasonable security procedure and policies,” but California’s Attorney General provided some guidance in its February 2016 California Data Breach Report.

To recover statutory damages for a covered breach on an individual or class-wide basis, affected individuals must provide 30 days’ written notice to the business and an opportunity to cure any alleged information security failure. If the business timely cures the alleged failure and “provides the consumer an express written statement that the violations have been cured and that no further violations will occur,” the affected individual is no longer eligible to receive statutory damages.

What Does This Mean for Employers?

The CCPA’s notice provisions reinforce the need to clearly explain to employees, applicants, directors, contractors, and other personnel the purposes for which their information is being collected and for which it will be used. This counsels for review of all online and hard-copy forms used to collect personal information, such as employment applications, new hire paperwork, benefits enrollment materials, and other documents. Moreover, employers may want to develop a general privacy notice for new hires explaining what categories of data will be collected from them in the course of their employment and how the data will be used.

Employers should also review and update their internal policies concerning the collection and use of personal information, and train employees regarding these requirements. Any policies and trainings should be designed to prevent (1) the collection of personal information without compliant notice regarding the purpose and use of that information, and (2) using previously collected personal information for a new, undisclosed purpose without following the notice requirements. In particular, employers may want to provide training regarding what types of information are covered by the CCPA, as the definition is much broader than many would think.

The CCPA’s security breach provisions will substantially increase the risk to employers for handling the personal information of employees, applicants, directors, contractors, and other personnel. Before the CCPA, many security breach class actions were unsuccessful because individuals could not adequately demonstrate that they were harmed by the breach. Now that the CCPA includes statutory damages of $100 to $750 per affected individual, even a small breach could result in substantial exposure. Thus, employers should carefully review their information security policies and procedures to reduce the risk of a security breach of employees’, applicants’, directors’, contractors’, and others’ personal information.

Firm Highlights

Publication

How to Navigate California Wage Statement Penalties After Naranjo v. Spectrum

On May 6, 2024, the California Supreme Court, in Naranjo v. Spectrum Security Services Inc. , clarified that an employer is not liable for statutory penalties for inaccurate wage statements when it had a...

Read More
Publication

Navigating Cannabis in the Workplace: A Guide for California Corporations

The landscape surrounding cannabis in the workplace is rapidly evolving, posing challenges for California corporations and businesses to establish effective policies and procedures. As the use of cannabis, both medical and recreational, becomes more...

Read More
Publication

A New Overtime Threshold Takes Effect in Mere Weeks: HR Should Assess Its Impact Now

On April 23, 2024, the U.S. Department of Labor (DOL) issued its final rule increasing the minimum pay requirements under the Fair Labor Standards Act (FLSA) for various exempt “white-collar” employee categories beginning on...

Read More
Publication

Important Changes and the Impact of California Industry-Specific Minimum Wage Laws

In the ever-evolving landscape of California labor laws, the minimum wage has once again taken center stage. With the recent state-wide increase to $16 per hour, the Golden State continues to lead the nation...

Read More
Publication

The Components of Effective and Defensible Workplace Investigations

Harassment, discrimination and retaliation are serious workplace threats that demand vigilant attention from employers under state and federal laws. This article explores some high-level yet essential components of effective workplace investigations. By understanding the...

Read More
News

Ex-DraftKings Exec Seeks Fast Trial To Test Noncompete Law

Holly Sutton, chair of Farella's Employment Law Group, provided expert commentary to Law360 for the article "Ex-DraftKings Exec Seeks Fast Trial To Test Noncompete Law." Read the article here (subscription required).

Read More
Publication

Navigating California Wage Statement Penalties After Naranjo v. Spectrum Security Services, Inc.

On May 6, 2024, the California Supreme Court, in Naranjo v. Spectrum Security Services, Inc. , clarified that an employer is not liable for statutory penalties for inaccurate wage statements when it had a...

Read More
Publication

Employment Law Update for Nonprofits With Holly Sutton

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . Charities, foundations, and their founders often request help addressing employment practices and compliance questions. In this episode, host Cynthia Rowland is joined by Holly...

Read More
Publication

California’s Estrada Decision and Impact on Employers and PAGA Claims

Following Estrada v. Royalty Carpet Mills, Inc. , the California Supreme Court’s employee-friendly Private Attorneys General Act (PAGA) ruling earlier this year, employers must remain more diligent than ever to prevent and mitigate costly...

Read More
Publication

Navigating California's Evolving Legal Landscape Governing Leaves of Absence

California’s employment laws are no stranger to change, and recent years have witnessed the introduction or modification of various protected leaves by employees. In this article, we will delve into three significant leave categories...

Read More