Publications

What Employers Should Know About the California Consumer Privacy Act Taking Effect January 1, 2020

October 2, 2019 Articles

On January 1, 2020, the California Consumer Privacy Act (CCPA), a consumer-friendly privacy law inspired by the European Union’s General Data Protection Regulation, is set to take effect. The CCPA is aimed towards bolstering consumers’ privacy rights by instituting notice, storage, retention, security, and other requirements related to collecting consumers’ personal information.

Although the CCPA is expressly directed at consumer privacy, it also has implications for employment-related data. Because the CCPA defines “personal information” broadly, courts may interpret that term to cover many categories of data collected from employees, applicants, directors, contractors, or other personnel.

California’s Legislature has provided some relief through Assembly Bill 25, which delays most of the CCPA’s application to employers until January 1, 2021. This suggests that the Legislature anticipates passing an employer-specific information privacy law in 2020. However, employers should be aware that, on January 1, 2020, the two provisions described below – governing data collection notice requirements and security breaches – will take effect for covered employers.

Only Certain Employers Are Covered by the CCPA

As a threshold issue, employers should determine whether they are covered by the CCPA. To fall within the CCPA’s coverage, a for-profit business must meet only one of the following criteria: (1) annual gross revenues exceeding $25 million; (2) annual purchase, receipt for the business’s commercial purposes, sale, or sharing for commercial purposes, alone or in combination, of the personal information of 50,000 or more consumers, households, or devices; or (3) 50% or more of annual revenues derived from selling consumers’ personal information.

Any business (including a nonprofit) that does not directly meet one of the above-listed criteria may still be covered if it (1) controls or is controlled by, and (2) shares common branding with, a company meeting one of the criteria.

Covered Employers Must Provide Notice Regarding Data Collection, and May Be Liable for Statutory Damages for Any Security Breach

Although Assembly Bill 25 delayed most of the CCPA’s requirements for employers until 2021, the following two provisions will take effect on January 1, 2020.

  1. Notice to Employees, Applicants, and Contractors Regarding Data Collection

Effective January 1, 2020, the CCPA requires employers to notify applicants, employees, directors, contractors, and other personnel of “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.”

“Personal information” is defined broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Examples of “personal information” frequently collected by employers include contact information, Social Security numbers, education history, employment history, bank account numbers, financial information, medical information, insurance information, emergency contacts, family and dependent information, information used to administer benefits programs, photographs or recordings, biometric information, internet or computer activity records, and other information concerning workers’ activities or performance.

In the event an employer intends to use previously collected personal information for a previously undisclosed purpose, the CCPA also requires new notice to affected individuals. So, for example, if an employer takes photographs of employees for their security badges, but later intends to post a photo of an employee with the employee’s name on the employer’s website, the employer must ensure the employees were properly notified that their photographs could be used for those purposes.

  1. Employers Are Liable for Certain Security Breaches

Effective January 1, 2020, the CCPA also establishes employer liability for certain security breaches concerning the personal information of employees, applicants, contractors, or other personnel. In the event of such a breach, each affected individual can recover between $100 and $750 in statutory damages.

To be actionable under the CCPA, an information security breach must meet the following criteria:

  1. The breach must involve the “unauthorized access and exfiltration, theft, or disclosure” of, in combination with an individual’s first name or initial and last name, the individual’s: (a) Social Security number; (b) driver’s license number or California identification card number; (c) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (d) medical information; or (e) health insurance information. In the event of a qualifying breach, the employer must notify affected individuals and, if more than 500 California residents are involved, also notify California’s Attorney General.
  2. The breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The CCPA does not define “reasonable security procedure and policies,” but California’s Attorney General provided some guidance in its February 2016 California Data Breach Report.

To recover statutory damages for a covered breach on an individual or class-wide basis, affected individuals must provide 30 days’ written notice to the business and an opportunity to cure any alleged information security failure. If the business timely cures the alleged failure and “provides the consumer an express written statement that the violations have been cured and that no further violations will occur,” the affected individual is no longer eligible to receive statutory damages.

What Does This Mean for Employers?

The CCPA’s notice provisions reinforce the need to clearly explain to employees, applicants, directors, contractors, and other personnel the purposes for which their information is being collected and for which it will be used. This counsels for review of all online and hard-copy forms used to collect personal information, such as employment applications, new hire paperwork, benefits enrollment materials, and other documents. Moreover, employers may want to develop a general privacy notice for new hires explaining what categories of data will be collected from them in the course of their employment and how the data will be used.

Employers should also review and update their internal policies concerning the collection and use of personal information, and train employees regarding these requirements. Any policies and trainings should be designed to prevent (1) the collection of personal information without compliant notice regarding the purpose and use of that information, and (2) using previously collected personal information for a new, undisclosed purpose without following the notice requirements. In particular, employers may want to provide training regarding what types of information are covered by the CCPA, as the definition is much broader than many would think.

The CCPA’s security breach provisions will substantially increase the risk to employers for handling the personal information of employees, applicants, directors, contractors, and other personnel. Before the CCPA, many security breach class actions were unsuccessful because individuals could not adequately demonstrate that they were harmed by the breach. Now that the CCPA includes statutory damages of $100 to $750 per affected individual, even a small breach could result in substantial exposure. Thus, employers should carefully review their information security policies and procedures to reduce the risk of a security breach of employees’, applicants’, directors’, contractors’, and others’ personal information.

Firm Highlights

News

Farella Announces 2024 Leadership Council on Legal Diversity Pathfinders: Taylor Rottjakob and John Ugai

Farella Braun + Martel is proud to announce that senior associates  Taylor E. Rottjakob and John M. Ugai have been named 2024 Leadership Council on Legal Diversity (LCLD) Pathfinders. Pathfinders have been identified as...

Read More
News

JPMorgan Chase Accuses TransUnion of Stealing 'Trade Secrets'

Intellectual property practice chair Eugene Mar provided expert commentary to American Banker for the article "JPMorgan Chase Accuses TransUnion of Stealing 'Trade Secrets'." In the article, he said: "By filing this as a trade...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

Corporate Transparency Act: A Guide on Beneficial Ownership for Nonprofit Executives

The Corporate Transparency Act, enacted as part of the National Defense Authorization Act for Fiscal Year 2021, represents a significant shift in regulatory requirements for entities across the United States. This act, set to...

Read More
News

North Coast Industry Insiders Weigh In on Why California Cannabis Tax Revenue Slipped in 2023

Jeff Hamilton spoke to Susan Wood with the North Bay Business Journal for the article "North Coast Industry Insiders Weigh In on Why California Cannabis Tax Revenue Slipped in 2023." Read the article with Jeff's...

Read More
News

Farella Braun + Martel Earns San Francisco Green Business Recertification

Read More
Publication

Corporate Transparency Act: State of the Law and Beneficial Ownership Reporting Requirements

Key Points: Despite ongoing legal challenges, the Corporate Transparency Act (CTA) generally remains in effect and enforceable. Clients should continue to abide by its regulations. Initial reports for entities formed in 2024 are due within...

Read More
Publication

Insurance Market Crushes Wineries and Wine Country Homeowners

We keep hearing about how difficult it is for winery and vineyard owners to get property insurance these days, both for their homes and their wine businesses in California’s wildfire-prone areas. Those who have...

Read More
Publication

Nonprofit Quick Tip: State Filings in North Carolina and South Carolina

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . Episode 75 is the tenth in a series of Quick Tip episodes focusing on the details of state registration of nonprofit corporations. With...

Read More
Publication

Employment Law Update for Nonprofits With Holly Sutton

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . Charities, foundations, and their founders often request help addressing employment practices and compliance questions. In this episode, host Cynthia Rowland is joined by Holly...

Read More