As advanced, AB 25 provides a one year hold for 2020 on CCPA’s application of many of its provisions to the personal information of employees, contractors, and job applicants. This hold is limited and only applies when the employer uses the data in the scope of its employment relationship for employment purposes. Any use by an employer outside the scope of the strict employment relationship would remain covered under CCPA. For example, if an employer allowed its insurance company to collect employee data in order to market other insurance services to those individuals, this would be subject to CCPA.
Employers must still notify employees, contractors and job applicants of the personal information that they collect and how they use it. Such employee data will also fall within the purview of CCPA’s private right of action for data breaches resulting from the failure to implement reasonable security measures. Under CCPA, the potential damages for such data breaches can be based on statutory damages of $100 to $750 per consumer per security breach or actual damages (whichever is more). Based on the amendment hearing, we expect additional legislation to address employee monitoring to follow over the course of the year.
What should employers do now?
- Companies should undergo the time-consuming process of data mapping their employee data in addition to their “consumer” or customer data. Care should be taken to consider all data that is collected – given the broad definition of personal information under CCPA - and how it is used and disclosed to third parties. Although there is a hold for 2020 on employee data, CCPA has a one year lookback provision which leaves open the question of whether employee data must be mapped as of January 1, 2019 or January 1, 2020.
- Companies should consider whether or not to implement workplace monitoring plans until the laws in this area are more established.
- Companies should conduct a security audit of their systems that hold employee data. The risk of class actions for security breaches comes with hefty damages.
- Companies should include more robust employee privacy policies in their employee documents.