Businesses with consumers in California may soon find themselves subject to the California Consumer Privacy Act of 2018 (the Act). The Act arrives on the heels of the expansive consumer protections offered by the European General Data Protection Regulation (GDPR), and echoes key GDPR concepts such as enhanced transparency and disclosure obligations regarding personal data. However, as companies race to comply, the question employers have begun asking is ”Does the Act cover employee data?” Although the California legislature may choose to issue an amendment/clarification over the next 18 months, the answer for now appears to be a qualified, “Yes.” This article addresses the potential implications of the Act on employers and steps that employers can take to ensure compliance if the legislature does not exclude employee data from the Act’s scope.
The Basis for Extending Coverage to Employers
The Act does not reference “employer” or “employee,” and is clearly a consumer protection law. However, the “personal information” the Act seeks to protect explicitly includes “professional or employment-related information.” Additionally, the Act defines the term “consumer” broadly as a “natural person who is a California resident… however identified, including by unique identifier,” a definition that no doubt includes employees. Moreover, the legislative findings discuss employment; they refer to “apply[ing] for a job” as an activity that is “almost impossible to do… without sharing personal information.” These broad definitions appear to extend the Act’s coverage to employers and employees. Therefore, pending further guidance, employers with employees residing in California will want to assess whether the Act applies to their Human Resource operations.
The Relevant Provisions
- Covered employers: Businesses that fall into one of three categories: (1) those with annual gross revenues of more than $25 million; (2) those storing the personal information of at least 50,000 consumers, households, or devices; or (3) those earning at least half of their annual revenues from selling consumers’ personal information.
- Covered employees: The Act covers all “residents” of California. Therefore employers should be prepared to provide protections to any employee who resides in California, whether permanently or temporarily.
- Right to disclosure: Since the Act pertains to employee information, employers may be expected, at the time of or before collecting the information, to inform the employee about what data will be collected and the purposes for which the data will be used. Unlike GDPR, the Act does not require consumers (employees) to give consent before data can be collected.
- Right to access: A covered employee working in California may submit a verifiable consumer request and access (1) all personal information collected by the employer; (2) the categories of sources from which the personal information was collected; (3) the business purpose for collecting or selling information; and (4) the categories of third parties to whom the information is shared. The Act’s “categories” language suggests that a general list of sources and third parties may suffice to fulfill this requirement. Importantly, the statutory right of data access only extends to the 12-month period preceding the request date, and the employer would not required to provide information that adversely affects co-workers. The provision also specifically excludes information sold to or received from a consumer reporting agency if the data is used in accordance with the procedures of the federal Fair Credit Reporting Act (FCRA).
- Private right of action: Employees may have a limited private right of action for data breaches to recover the greater of actual damages or statutory damages of up to $750 per individual per incident.
- Discrimination protection: The Act provides protection against discrimination for exercising rights under the Act.
- Service provider misconduct: Businesses that share consumers’ personal information with service providers are not liable for the service provider’s misconduct if, at the time of disclosure, the business did not have actual knowledge, or reason to believe, that the service provider intended to violate the Act.
The Act’s other key provisions—the consumer’s rights to (1) opt out of sales of information and (2) request deletion of data—are unlikely to impact employers. Employers rarely, if ever, sell employee personal information. The Act specifically excludes corporate transactions such as mergers and acquisitions from the definition of “sale.” Similarly, the impact of the right to delete (or “be forgotten”) is curtailed by the Act’s many exceptions. For example, the right to delete does not apply to personal information that a business must maintain to comply with a legal obligation. Therefore, records, such as payroll records subject to legal retention requirements, would not have to be deleted upon request. Similarly, the right to delete does not apply if the employer collected or retained the data to protect against deceptive or fraudulent activity or “[t]o enable solely internal uses that are reasonably aligned with the expectations of the [employee] based on the [employee’s] relationship with the [employer].”
Steps for Employers
California has not issued regulations governing application of the Act, but employers should plan now for implementation. Depending on the number of impacted employees and the structure of corporate operations, employers must prepare to implement some or all of the following measures promptly.
- Institute security measures: Regularly review and set in place “reasonable security” measures and practices for data to avoid claims for a data breach. The Act does not provide insights into what constitutes “reasonable security.” Therefore, businesses are encouraged to adhere to industry best practices. Based on the 2016 Data Breach Report from the California Attorney General’s Office, the Center for Internet Security’s (CIS) Critical Security Controls or an equivalent framework would likely meet the security requirement.
- Implement tracking: The Act limits the right to access information to the 12-month period preceding the employee’s request. However, the Act does not specify whether businesses will be expected to disclose information for the 12 months preceding January 1, 2020, or whether the obligation to track the information commences on January 1, 2020. In the absence of further guidance, employers should be prepared to track the various categories under the access provision—sources, third parties and personal information—as of January 1, 2019.
- Handle non-California employee data: The law technically only applies to employees residing in California. However, the impact is likely to be much greater. A compliant company with employees in multiple states will either have to institute the Act’s reforms for all employees or design a bifurcated regime that treats the personal data California employees in one way and the personal data of other employees another way.
- Review service provider contracts: Employers should limit liability under the Act due to service provider misconduct. Prudent employers will include indemnity clauses in their vendor contracts covering misconduct under the Act and will ensure that the relevant contract prohibits the provider from using the employee’s personal information for anything other than the contractual purpose.
According to the International Association of Privacy Professionals, more than 500,000 businesses may be affected by the Act. Also, in the wake of the GDPR and recent privacy scandals involving personal data, other states are expected to issue similar privacy protections. Regardless of whether the California legislature amends the Act to expressly exclude employee data, the California Consumer Protection Act of 2018 is a call to all businesses to assess their treatment of employee personal data.