Insights
Publications

What Employers Should Know About the California Consumer Privacy Act Taking Effect January 1, 2020

October 2, 2019 Articles

On January 1, 2020, the California Consumer Privacy Act (CCPA), a consumer-friendly privacy law inspired by the European Union’s General Data Protection Regulation, is set to take effect. The CCPA is aimed towards bolstering consumers’ privacy rights by instituting notice, storage, retention, security, and other requirements related to collecting consumers’ personal information.

Although the CCPA is expressly directed at consumer privacy, it also has implications for employment-related data. Because the CCPA defines “personal information” broadly, courts may interpret that term to cover many categories of data collected from employees, applicants, directors, contractors, or other personnel.

California’s Legislature has provided some relief through Assembly Bill 25, which delays most of the CCPA’s application to employers until January 1, 2021. This suggests that the Legislature anticipates passing an employer-specific information privacy law in 2020. However, employers should be aware that, on January 1, 2020, the two provisions described below – governing data collection notice requirements and security breaches – will take effect for covered employers.

Only Certain Employers Are Covered by the CCPA

As a threshold issue, employers should determine whether they are covered by the CCPA. To fall within the CCPA’s coverage, a for-profit business must meet only one of the following criteria: (1) annual gross revenues exceeding $25 million; (2) annual purchase, receipt for the business’s commercial purposes, sale, or sharing for commercial purposes, alone or in combination, of the personal information of 50,000 or more consumers, households, or devices; or (3) 50% or more of annual revenues derived from selling consumers’ personal information.

Any business (including a nonprofit) that does not directly meet one of the above-listed criteria may still be covered if it (1) controls or is controlled by, and (2) shares common branding with, a company meeting one of the criteria.

Covered Employers Must Provide Notice Regarding Data Collection, and May Be Liable for Statutory Damages for Any Security Breach

Although Assembly Bill 25 delayed most of the CCPA’s requirements for employers until 2021, the following two provisions will take effect on January 1, 2020.

  1. Notice to Employees, Applicants, and Contractors Regarding Data Collection

Effective January 1, 2020, the CCPA requires employers to notify applicants, employees, directors, contractors, and other personnel of “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.”

“Personal information” is defined broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of “personal information” frequently collected by employers include contact information, Social Security numbers, education history, employment history, bank account numbers, financial information, medical information, insurance information, emergency contacts, family and dependent information, information used to administer benefits programs, photographs or recordings, biometric information, internet or computer activity records, and other information concerning workers’ activities or performance.

In the event an employer intends to use previously collected personal information for a previously undisclosed purpose, the CCPA also requires new notice to affected individuals. So, for example, if an employer takes photographs of employees for their security badges, but later intends to post a photo of an employee with the employee’s name on the employer’s website, the employer must ensure the employees were properly notified that their photographs could be used for those purposes.

  1. Employers Are Liable for Certain Security Breaches

Effective January 1, 2020, the CCPA also establishes employer liability for certain security breaches concerning the personal information of employees, applicants, contractors, or other personnel. In the event of such a breach, each affected individual can recover between $100 and $750 in statutory damages.

To be actionable under the CCPA, an information security breach must meet the following criteria:

  1. The breach must involve the “unauthorized access and exfiltration, theft, or disclosure” of, in combination with an individual’s first name or initial and last name, the individual’s: (a) Social Security number; (b) driver’s license number or California identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (d) medical information; or (e) health insurance information. In the event of a qualifying breach, the employer must notify affected individuals and, if more than 500 California residents are involved, also notify California’s Attorney General.
  2. The breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The CCPA does not define “reasonable security procedure and policies,” but California’s Attorney General provided some guidance in its February 2016 California Data Breach Report.

To recover statutory damages for a covered breach on an individual or class-wide basis, affected individuals must provide 30 days’ written notice to the business and an opportunity to cure any alleged information security failure. If the business timely cures the alleged failure and “provides the consumer an express written statement that the violations have been cured and that no further violations will occur,” the affected individual is no longer eligible to receive statutory damages.

What Does This Mean for Employers?

The CCPA’s notice provisions reinforce the need to clearly explain to employees, applicants, directors, contractors, and other personnel the purposes for which their information is being collected and for which it will be used. This counsels for review of all online and hard-copy forms used to collect personal information, such as employment applications, new hire paperwork, benefits enrollment materials, and other documents. Moreover, employers may want to develop a general privacy notice for new hires explaining what categories of data will be collected from them in the course of their employment and how the data will be used.

Employers should also review and update their internal policies concerning the collection and use of personal information, and train employees regarding these requirements. Any policies and trainings should be designed to prevent (1) the collection of personal information without compliant notice regarding the purpose and use of that information, and (2) using previously collected personal information for a new, undisclosed purpose without following the notice requirements. In particular, employers may want to provide training regarding what types of information are covered by the CCPA, as the definition is much broader than many would think.

The CCPA’s security breach provisions will substantially increase the risk to employers for handling the personal information of employees, applicants, directors, contractors, and other personnel. Before the CCPA, many security breach class actions were unsuccessful because individuals could not adequately demonstrate that they were harmed by the breach. Now that the CCPA includes statutory damages of $100 to $750 per affected individual, even a small breach could result in substantial exposure. Thus, employers should carefully review their information security policies and procedures to reduce the risk of a security breach of employees’, applicants’, directors’, contractors’, and others’ personal information.

Firm Highlights

Publication

Is your company covered by California's new privacy law?

Read More
News

Farella Braun + Martel Ranked Among “Best Law Firms” by U.S. News & World Report and Best Lawyers

Read More
Publication

In the Weeds: Marijuana Legalization & Employment Laws

Over the last several years, attitudes towards marijuana use have rapidly changed in the United States. According to a 2018 Pew Research Survey, 62 percent of U.S. respondents said marijuana use should be legal...

Read More
Publication

California's AB5 Codifies Stricter Rules for Independent Contractors - What Wine Industry Employers Need to Know

California Governor Gavin Newsom has signed into law AB5, codifying a new test for distinguishing employees from independent contractors. While AB5 does not go into effect until January 1, 2020, it will apply retroactively...

Read More
News

Kelly Matayoshi Installed as President of UC Hastings College of the Law Alumni Association Board of Governors

Read More
News

Benchmark California 2020 Ranks Farella Among Top Litigation Firms

Doug Young named among Top 20 Trial Lawyers in California SAN FRANCISCO, October 16, 2019: Farella Braun + Martel continues to be ranked among the top litigation firms by Benchmark California 2020, a guide...

Read More
Publication

New California Crown Act Reminds Employers to Carefully Consider Workplace Dress and Grooming Policies

California Governor Gavin Newsom has signed into law the nation’s first bill banning discrimination based on an employee’s hairstyle. Senate Bill 188, otherwise known as the Crown Act, expanded the definition of race under...

Read More
Publication

California’s New Ban on Mandatory Employment Arbitration: How We Got Here and What This Means

All employers should be aware that their use of mandatory employment arbitration agreements is prohibited in California effective January 1, 2020 under recently signed Assembly Bill No. 51 (AB 51). Under current California law...

Read More
Publication

California's AB5 Codifies Stricter Rules for Independent Contractors - What Employers Need to Know

On September 18, 2019, California Governor Gavin Newsom signed into law AB5, codifying the ABC test for distinguishing employees from independent contractors and expanding its application beyond California’s Wage Orders. While AB5 does not...

Read More
Publication

California Employers Granted a One-Year Reprieve on New Mandatory Sexual Harassment Training Deadline

If you are scrambling to comply with the new California sexual harassment training requirements, we have some good news: with some exceptions, employers have another year to put those plans in place. Under prior law...

Read More