Insights
Publications

What Employers Should Know About the California Consumer Privacy Act Taking Effect January 1, 2020

October 2, 2019 Articles

On January 1, 2020, the California Consumer Privacy Act (CCPA), a consumer-friendly privacy law inspired by the European Union’s General Data Protection Regulation, is set to take effect. The CCPA is aimed towards bolstering consumers’ privacy rights by instituting notice, storage, retention, security, and other requirements related to collecting consumers’ personal information.

Although the CCPA is expressly directed at consumer privacy, it also has implications for employment-related data. Because the CCPA defines “personal information” broadly, courts may interpret that term to cover many categories of data collected from employees, applicants, directors, contractors, or other personnel.

California’s Legislature has provided some relief through Assembly Bill 25, which delays most of the CCPA’s application to employers until January 1, 2021. This suggests that the Legislature anticipates passing an employer-specific information privacy law in 2020. However, employers should be aware that, on January 1, 2020, the two provisions described below – governing data collection notice requirements and security breaches – will take effect for covered employers.

Only Certain Employers Are Covered by the CCPA

As a threshold issue, employers should determine whether they are covered by the CCPA. To fall within the CCPA’s coverage, a for-profit business must meet only one of the following criteria: (1) annual gross revenues exceeding $25 million; (2) annual purchase, receipt for the business’s commercial purposes, sale, or sharing for commercial purposes, alone or in combination, of the personal information of 50,000 or more consumers, households, or devices; or (3) 50% or more of annual revenues derived from selling consumers’ personal information.

Any business (including a nonprofit) that does not directly meet one of the above-listed criteria may still be covered if it (1) controls or is controlled by, and (2) shares common branding with, a company meeting one of the criteria.

Covered Employers Must Provide Notice Regarding Data Collection, and May Be Liable for Statutory Damages for Any Security Breach

Although Assembly Bill 25 delayed most of the CCPA’s requirements for employers until 2021, the following two provisions will take effect on January 1, 2020.

  1. Notice to Employees, Applicants, and Contractors Regarding Data Collection

Effective January 1, 2020, the CCPA requires employers to notify applicants, employees, directors, contractors, and other personnel of “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.”

“Personal information” is defined broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of “personal information” frequently collected by employers include contact information, Social Security numbers, education history, employment history, bank account numbers, financial information, medical information, insurance information, emergency contacts, family and dependent information, information used to administer benefits programs, photographs or recordings, biometric information, internet or computer activity records, and other information concerning workers’ activities or performance.

In the event an employer intends to use previously collected personal information for a previously undisclosed purpose, the CCPA also requires new notice to affected individuals. So, for example, if an employer takes photographs of employees for their security badges, but later intends to post a photo of an employee with the employee’s name on the employer’s website, the employer must ensure the employees were properly notified that their photographs could be used for those purposes.

  1. Employers Are Liable for Certain Security Breaches

Effective January 1, 2020, the CCPA also establishes employer liability for certain security breaches concerning the personal information of employees, applicants, contractors, or other personnel. In the event of such a breach, each affected individual can recover between $100 and $750 in statutory damages.

To be actionable under the CCPA, an information security breach must meet the following criteria:

  1. The breach must involve the “unauthorized access and exfiltration, theft, or disclosure” of, in combination with an individual’s first name or initial and last name, the individual’s: (a) Social Security number; (b) driver’s license number or California identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (d) medical information; or (e) health insurance information. In the event of a qualifying breach, the employer must notify affected individuals and, if more than 500 California residents are involved, also notify California’s Attorney General.
  2. The breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The CCPA does not define “reasonable security procedure and policies,” but California’s Attorney General provided some guidance in its February 2016 California Data Breach Report.

To recover statutory damages for a covered breach on an individual or class-wide basis, affected individuals must provide 30 days’ written notice to the business and an opportunity to cure any alleged information security failure. If the business timely cures the alleged failure and “provides the consumer an express written statement that the violations have been cured and that no further violations will occur,” the affected individual is no longer eligible to receive statutory damages.

What Does This Mean for Employers?

The CCPA’s notice provisions reinforce the need to clearly explain to employees, applicants, directors, contractors, and other personnel the purposes for which their information is being collected and for which it will be used. This counsels for review of all online and hard-copy forms used to collect personal information, such as employment applications, new hire paperwork, benefits enrollment materials, and other documents. Moreover, employers may want to develop a general privacy notice for new hires explaining what categories of data will be collected from them in the course of their employment and how the data will be used.

Employers should also review and update their internal policies concerning the collection and use of personal information, and train employees regarding these requirements. Any policies and trainings should be designed to prevent (1) the collection of personal information without compliant notice regarding the purpose and use of that information, and (2) using previously collected personal information for a new, undisclosed purpose without following the notice requirements. In particular, employers may want to provide training regarding what types of information are covered by the CCPA, as the definition is much broader than many would think.

The CCPA’s security breach provisions will substantially increase the risk to employers for handling the personal information of employees, applicants, directors, contractors, and other personnel. Before the CCPA, many security breach class actions were unsuccessful because individuals could not adequately demonstrate that they were harmed by the breach. Now that the CCPA includes statutory damages of $100 to $750 per affected individual, even a small breach could result in substantial exposure. Thus, employers should carefully review their information security policies and procedures to reduce the risk of a security breach of employees’, applicants’, directors’, contractors’, and others’ personal information.

Firm Highlights

Publication

Coronavirus and the Workplace: Is Your Business Prepared?

The outbreak of the novel coronavirus (COVID-19) implicates numerous legal obligations for employers, including leave, medical privacy, and discrimination. Employers should prepare to implement policies that strike a balance between ensuring safety and fostering...

Read More
Publication

California's AB5 Codifies Stricter Rules for Independent Contractors - What Wine Industry Employers Need to Know

California Governor Gavin Newsom has signed into law AB5, codifying a new test for distinguishing employees from independent contractors. While AB5 does not go into effect until January 1, 2020, it will apply retroactively...

Read More
Publication

Coronavirus and the Workplace: Key Legal Updates for Employers

With the spread of COVID-19 and the rapidly evolving federal, state, and local government response, it can be difficult for employers to keep up with their rights and obligations. This week, California’s Governor Gavin...

Read More
Publication

Use Caution When Laying off Employees Without a Return to Work Date

Employers who have laid off workers in recent weeks due to the shelter-in-place orders should be aware of little-known requirements regarding final paychecks.  Even if employees are being furloughed with the expectation of returning to...

Read More
Publication

New Laws for California Employers in 2020

The California Legislature and Governor Newsom have passed a sizable list of new laws governing the workplace in 2020. Employers are, once again, advised to evaluate their workplace rules and practices to insure they keep...

Read More
Publication

Coronavirus and Employee Privacy Laws: What Employers Should Know

The outbreak of the novel coronavirus (COVID-19) presents challenging medical privacy issues for employers. Employers must observe their employees’ continued legal right to privacy—including under the Americans with Disabilities Act (ADA), HIPAA, and/or relevant...

Read More
Publication

Families First Coronavirus Response Act - Posting Requirement for Employers

The recently enacted Families First Coronavirus Response Act (“FFCRA”) requires private employers with fewer than 500 employees to post a notice by April 1 summarizing the benefits available to employees under the FFCRA. For employers...

Read More
Publication

Is your company covered by California's new privacy law?

Privacy image
Read More
Publication

Weed at Work: Understanding Legalized Marijuana in the Office

Click here  for the audio recording of the webinar "Weed at Work: Understanding Legalized Marijuana in the Office."

Read More
Publication

California’s New Ban on Mandatory Employment Arbitration: How We Got Here and What This Means

All employers should be aware that their use of mandatory employment arbitration agreements is prohibited in California effective January 1, 2020 under recently signed Assembly Bill No. 51 (AB 51). Under current California law...

Read More