Q. What are my company’s obligations under the California Consumer Privacy Act?

A. The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020. On or before that date, businesses that employ California residents, retain California residents as independent contractors, or receive job applications from California residents must provide those individuals with notices detailing (1) the categories of personal information that the employer collects about them and (2) the purposes for which the personal information will be used. The CCPA requires that businesses provide these notices “at or before the point of collection” of personal information.

“Personal information” is defined broadly in the CCPA and includes items such as Social Security numbers, bank account numbers, education and employment history, characteristics of a protected classification under California or federal law (such as race, religion, gender, disability and age), biometric information, medical and health insurance information, and certain metadata, such as device IP address. In the employment/independent contractor context, businesses collect personal information for purposes such as onboarding, conducting background checks, managing the employment/contractor relationship (including payment of wages/fees, time records, direct deposit authorization, etc.), and preparing legally required records (including I-9 and EEO-1 forms). Businesses should consider incorporating the CCPA notice in the following documents and locations, as well as posting it where other notices are posted:

  • employee handbooks
  • offer letters
  • other new hire paperwork
  • employment agreements
  • restrictive covenant agreements
  • online job application portals.

In addition to requiring notice to individuals, the CCPA’s notice requirement extends to “personal information” related to households, which would include medical and health insurance information about an employee’s beneficiaries. Businesses should assess how to comply with their obligation to notify households in the absence of specific guidance, which hopefully will be forthcoming.

Although many employment-related requirements in the original CCPA were suspended until January 1, 2021 by the CCPA amendments, the notice requirement and the private right of action in the event of a data breach are still in effect. Consequently, businesses should properly secure employee, applicant and independent contractor-related personal information to mitigate risk of liability, and develop and distribute mandated notices at or before all points where employee, job applicant and independent contractor personal information is collected. Businesses also should consider what operational steps will be necessary to afford California resident employees, applicants and independent contractors full CCPA rights as of January 1, 2021.