The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does the CCPA require that companies start drafting privacy policies for their employees?

While there is no federal law that requires United States companies to provide employees with a privacy notice or a privacy policy, two states – Connecticut and Michigan – have historically required any company that collects the Social Security Number of an individual to provide the individual with written information about the company’s privacy practices.1 As employers must collect the Social Security Numbers of their employees under US law, the states functionally require that all employers create and distribute a privacy policy to their employees.

California’s CCPA significantly extends the obligation to provide employee privacy policies. For companies that are under the jurisdictional scope of the CCPA (e.g., have gross revenue of at least $25 million, or collect personal information of more than 50,000 Californians), the Act requires that they provide a privacy policy to any “consumer” from whom they collect personal information.2 As the term “consumer” is defined as referring to any resident of California the Act arguably encompasses any California-based employees. Unlike the Connecticut and Michigan statutes, the CCPA is not limited to instances in which an employer collects Social Security Number. As a result, it extends the obligation to provide a privacy policy beyond employees to prospective employees (e.g., applicants), as well as employees of independent contractors or consultants that may be providing staffing related support and for whom the company maybe collecting personal information. The CCPA also requires that the privacy policy that is provided to employees contain information far more detailed than that which was required under Connecticut and Michigan law. The net result is that companies that have employees in California and are subject to the Act will either be required to provide those employees with a privacy policy for the first time, or will be required to revise existing employee-based privacy policy that were drafted with the backdrop of the Connecticut or Michigan law to account for the CCPA.

In comparison, the European GDPR requires that a company provide a privacy notice when it collects information from an individual. As companies, by necessity, collect personal information – including sensitive categories of personal information – from, and about, their employees and applicants, companies typically are required to provide those individuals with a privacy notice.

There is a limited exception under the GDPR, however, that states that privacy policies do not need to be provided if a “data subject already has the information” about a company’s privacy practices.3 To the extent that an employers’ use of an employee’s information is limited to effectuating the employment relationship, an employer might argue that the use would be expected (and known) by the employee and, as a result, a privacy policy is not strictly required. That said, some European Union Member State data protection authorities suggest that if an organization intends to rely upon this exception they should consider “mak[ing] privacy information available if [the data subject] look[s] for it,” by, for example, placing their privacy practices on their publicly accessible website.4 In addition, while some uses of data are undoubtedly expected and known by an employee (e.g., using personal data in order to make salary payments to the employee), other uses may be less certain (e.g., monitoring employees within the workplace may be expected by some employees, but not others).