Jan. 1, 2020, marks the effective date of the recently enacted California Consumer Privacy Act (CCPA), a new law that requires companies to comply with numerous requirements related to collecting and processing personal information of California employees and other individuals.
Don’t let the “Consumer” language of the CCPA fool you – under the CCPA, the definition of “consumer” can easily include employees so long as they are natural persons who are California residents because they are either domiciled in California for a temporary or transitory purpose or are in California for more than a temporary or transitory purpose.
Which Employers Must Comply with CCPA?
With some exceptions,1 employers must comply with CCPA if they receive personal information from California residents (including employees) and if their business – or its subsidiary or parent company2 – meets at least one of the following criteria:
- Has annual gross revenues of $25 million;
- Buys, receives, sells, or shares3 the personal information of 50,000 or more California consumers, households, or devices annually for commercial purposes (whether alone or in combination with others); or
- Derives 50 percent or more of its annual revenues from selling California residents’ personal information.
Calculating Annual Revenues in Excess of $25 Million. It remains unclear whether annual revenue figures are derived from global revenues or only California revenues – the CCPA does not specify. However, this ambiguity may be addressed by amendments expected in 2019 when the California State Legislature reconvenes after the new year.
Determining if a Business Obtains or Sells the Personal Information of 50,000 California Consumers. Under the CCPA, employees’ performance reviews, compensation information, and many if not all HR records are likely to constitute “personal information,” and non-employee California consumers (as defined under CCPA) will also likely count towards the 50,000 tipping point that mandates compliance. In addition, because “personal information” as defined under CCPA includes IP address and device identification numbers captured by operating an application or website, the 50,000 number could be relatively easily achieved by many businesses.
The CCPA definitions of both “personal information” and “commercial purposes” cast a wide net that includes information and activities a business may not currently consider falling under either category. For example, the CCPA defines personal information as “any information that . . . relates to . . . a particular consumer or household” and specifically includes professional or employment-related information. The CCPA defines commercial purposes as “advanc[ing] a person’s commercial or economic interests,’’ such as by inducing another person to provide or exchange information or services.
Calculating 50 Percent of “Sales” of California Consumers’ Personal Information. The CCPA also broadly defines “selling” or “sales” as obtaining monetary or other valuable consideration for “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party[.]” Valuable consideration could include promotions or other marketing activities undertaken in exchange for disclosure of a consumer’s personal information.
What Actions Must Employers Take?
If an employer is subject to the CCPA, its employees (and other consumers) will have numerous rights under the CCPA. As described briefly below, these rights will likely require employers to deploy internal and external processes and data handling practices to effectuate these rights – including, but not limited to, updating employee privacy policies or notices, creating or revising data maps and/or data inventories, revising contracts with service providers, and making designated methods available for employees (and other consumers) who submit data access requests.
What Are Employees’ Rights Under the CCPA?
Under the CCPA, employees are consumers. As such, employee rights are the same as any California consumer and include the following:
- Notice, Disclosure & Non-Waiver. Employees must be informed about the categories of personal information collected and the purpose of the collection at or before the time of collection.
- No additional categories of information can be collected without prior notice.
- Employees must be informed if their personal information is being sold or disclosed to third parties for “business purposes” that include disclosures to payroll vendors, benefit providers, and others.
- Employers need to ensure their agreements with service providers expressly prohibit any sale or unauthorized use of employee information other than specified processing purposes.
- Employees cannot be asked to contractually waive any rights provided by the CCPA.
- There are specific requirements for how employees must be notified of and may exercise their CCPA rights – including toll-free numbers for submitting requests and clear and conspicuous links titled “Do Not Sell My Personal Information.”
- Data Access. Employees may request that employers disclose the categories of personal information collected about them and the specific personal information collected.
- Employers must provide the information free of charge within 45 days once the request is verified (with a limit of no more than two requests per 12-month period).
- Deletion. Employees can request that their personal information be deleted.
- Employers are permitted to retain the information necessary for performance of the employment contract; or
- Employers may retain personal information if it is required only for internal purposes related to security, First Amendment rights, and other purposes detailed in Cal. Civ. Code § 1798.105(d) et seq.
- Opt-Out. Employees have the right to opt out of the “sale” of their personal information – here, “sale” falls under the CCPA’s broad definition. Covered employers should be aware of this broad definition when engaging third-party service providers or entering corporate deals that will involve the transfer of personal information.
- No Discrimination. An employer cannot retaliate or discriminate against employees who exercise their rights under CCPA.
What Sanctions Could Employers Face for Failing to Comply with CCPA?
California employees will have a private right of action for unauthorized access to their personal information (even if there is no harm). California employees may institute a civil action under CCPA if certain types of non-encrypted or non-redacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as result of the business’ violation of a duty to implement and maintain reasonable security procedures and practices appropriate to protect the personal information.
- The employee is not required to show any actual harm or injury to maintain an action.
- Only personal information relating to driver’s license numbers, social security numbers, and medical and financial information is actionable “personal information” – and not the broader categories of information set forth in the CCPA’s “personal information” definition.
- The employee must provide the business 30 days’ written notice of the alleged CCPA violation to allow the business to cure the defect. If possible to cure, and the business does cure within the 30-day window, no damages for individual or class-wide actions may be initiated.
- The above notice is not required if an employee initiates an action for actual pecuniary damages resulting from the breach or unauthorized access.
- Within 30 days of filing any action, the employee must notify the California Attorney General’s office to give the office an opportunity to prosecute rather than allowing the civil action to proceed.
Statutory damages in independent civil actions or class actions involving data theft or other data security breaches range between $100 to $750 per California employee per incident, or actual damages, whichever is greater, and are subject to a 30-day notice requirement and opportunity for the California AG to intervene. The California AG may choose to bring a civil action for CCPA violations. Intentional violations are subject to penalties of up to $7,500 per violation. Unintentional violations that are not cured within 30 days of notice are liable for up to $2,500 per violation.
The California State Legislature is expected to consider changes to the law when it reconvenes in January 2019. Greenberg Traurig will provide additional updates if substantive changes are made.
1 Out-of-state companies may be exempt from the CCPA if “every aspect” of the business’ commercial conduct “takes place wholly outside of California” or the company is not doing any business in the state of California. An out-of-state business is doing business in California if it actively engages “in any transaction for the purpose of financial or pecuniary gain or profit” in California. Employing California residents typically satisfies either test.
2 CCPA’s definition of businesses includes parent companies and subsidiaries using the same branding, even if the parent or subsidiary by itself does not meet the CCPA’s $25 million annual gross revenues threshold or other criteria that bring an entity into the sweep of the CCPA.
3 Either alone or in combination with others.