The days of companies not having an employee privacy policy in their employee handbook or company intranet are quickly diminishing due to the California Consumer Privacy Act (“CCPA”). Employers had hoped that certain amendments to CCPA, notably AB 25, would completely remove employee data from the scope of CCPA and pass through committee without modification for final Senate approval. But last week, the California Senate Judiciary Committee advanced AB 25 with changes, which means that employers still will have to grapple with their handling of employee data under CCPA.

As advanced, AB 25 provides a one year hold for 2020 on CCPA’s application of many of its provisions to the personal information of employees, contractors, and job applicants. This hold is limited and only applies when the employer uses the data in the scope of its employment relationship for employment purposes. Any use by an employer outside the scope of the strict employment relationship would remain covered under CCPA. For example, if an employer allowed its insurance company to collect employee data in order to market other insurance services to those individuals, this would be subject to CCPA.

Employers must still notify employees, contractors and job applicants of the personal information that they collect and how they use it. Such employee data will also fall within the purview of CCPA’s private right of action for data breaches resulting from the failure to implement reasonable security measures. Under CCPA, the potential damages for such data breaches can be based on statutory damages of $100 to $750 per consumer per security breach or actual damages (whichever is more). Based on the amendment hearing, we expect additional legislation to address employee monitoring to follow over the course of the year.

What should employers do now?

  • Companies should undergo the time-consuming process of data mapping their employee data in addition to their “consumer” or customer data. Care should be taken to consider all data that is collected – given the broad definition of personal information under CCPA - and how it is used and disclosed to third parties. Although there is a hold for 2020 on employee data, CCPA has a one year lookback provision which leaves open the question of whether employee data must be mapped as of January 1, 2019 or January 1, 2020.
  • Companies should consider whether or not to implement workplace monitoring plans until the laws in this area are more established.
  • Companies should conduct a security audit of their systems that hold employee data. The risk of class actions for security breaches comes with hefty damages.
  • Companies should include more robust employee privacy policies in their employee documents.