Despite being in effect since Jan. 1, 2020, the California Consumer Privacy Act (CCPA) continues to generate confusion for employers of California residents. Much attention has been given to the CCPA’s effect on a business’ obligations in collecting, using, and sharing California customers’ data. However, given the CCPA’s broad “consumer” definition includes “employees,” it also imposes duties on any in-scope business that manages California employees’ data. Notably, under the CCPA, “employees” include job applicants. The CCPA thus applies to both California customers and employees/job applicants of any “business,” which is defined as a for-profit organization doing business in California that controls how personal information is processed and: (i) has gross annual revenue exceeding $25 million; (ii) buys, receives, sells, or shares personal information of 50,000 or more California consumers, households, or devices; or (iii) derives 50% or more of its annual revenue from selling personal information of California residents. Civ. Code § 1798.140(c)(1). Importantly, for the CCPA to apply, businesses do not have to be physically in California. Thus, for example, a business that does not have any facilities in California, but employs remote workers in California, could be subject to the CCPA if it meets the CCPA’s “business” definition.
The passage in October 2019 of California AB 25, which delays the deadline for compliance with certain CCPA requirements with respect to California employees (and job applicants) until Jan. 1, 2021, adds to the confusion surrounding the CCPA’s current impact on California employers. Though this has caused many to put CCPA employee data compliance on the backburner, the limited delay does not apply to several of the CCPA’s requirements, and businesses should take action now with respect to several issues.
First, either at or before the time data is collected, a business must inform a California employee/job applicant of the categories and specific pieces of “personal information” it is collecting, and disclose the purpose for which the “personal information” will be used (i.e., provide a Privacy Notice, which must be updated on an annual basis). This begs the question of what constitutes “personal information” under the CCPA. Though the CCPA provides a laundry list of categories that constitute “personal information” (which employers should carefully review [see Civ. Code § 1798.140(o)(1)]), much of the “personal information” subject to the CCPA is collected by a business upon employee onboarding. For example, personal information “identifiers” include names, addresses, email addresses, and social security numbers.
Importantly, if a business’ employee is also a consumer of the business, all “personal information” collected in the consumer context remains covered by the CCPA. Similarly, using an employee’s “personal information” for any non-employment-related purpose will all but certainly violate the CCPA.
Second, a California employee whose personal information is accessed or disclosed without the employee’s authorization, or worse yet, stolen, because the business failed to implement and maintain reasonable security procedures/practices, could potentially bring a civil action against the business. If successful, the employee may recover statutory damages ranging from $100-$750 per incident, or the actual damages incurred, whichever amount is greater. Civ. Code § 1798.150(a)(1).
The risk of liability for the unintentional disclosure of employee personal data is substantial, particularly given the rise in mass data breaches, which could in turn expose a business to a costly class action. Given this risk, a business with California employees should be vigilant in ensuring it has adequate security measures in place to protect against the unauthorized dissemination of employees’ personal information.
While employee privacy rights are nothing new in California, the CCPA expands these rights, and in turn imposes significant burdens on “businesses” that employ California residents. Further, unless the CCPA is amended, in 2021 California employees will be afforded full protection and treated like consumers under the CCPA, including the right to request that employers delete their personal information.