Last Friday, California Governor Gavin Newsom signed several bills into law that amend the California Consumer Privacy Act of 2018 (“CCPA”) in a number of key ways. Critical to California employers, one of those bills (AB 25) delays obligations under the CCPA as to job application and certain employment information from January 1, 2020, to January 1, 2021. However, other parts of the CCPA remain applicable to employers. While employers have a one-year reprieve to implement CCPA-compliant policies and practices related to job application and certain employment information, now is the time to consider starting that process as well to ensure compliance with all other parts of the statute applicable to employers. Below we highlight the key amendments to the CCPA and set forth steps California employers should consider in preparing for the CCPA.
Amendments to the CCPA
The bills signed into law amending the CCPA include those (1) delaying application of the CCPA to certain employment-related information for one year (AB 25); (2) clarifying the definition of “personal information,” including the exclusion of de-identified and aggregate data and information (AB 874); (3) limiting exemptions for personal information received in connection with a product warranty claim (AB 1146); (4) clarifying that most businesses must make available to customers a toll-free number and at least one other method for submitting requests for information (AB 1564); and (5) revising the private right of action provision (AB 1355).
Specifically under AB 25, information that is collected from individuals in the course of a job application or from employees in the course of employment is exempt from the CCPA until January 1, 2021. However, the notice provision (Cal. Civ. Code § 1798.100(b)) and private right of action provision (Cal. Civ. Code § 1798.150) still will apply as of January 1, 2020. (For a complete discussion of the amendments to the CCPA, please see here.)
Notwithstanding the one-year moratorium for application of the CCPA to job application and employee information, employers should consider the steps necessary for impending compliance requirements.
A. Confirm Compliance with CCPA Notice Requirements Because the notice provisions of the CCPA have not been delayed under AB 25, employers should review current privacy notices and confirm they are updated to conform to CCPA requirements as of January 1, 2020. The CCPA requires employers to issue notices that describe the categories of information being collected, as well as how that information is collected, used, shared, and disposed of. It is presently unclear what level of specificity is required in the notices.
B. Review Security Measures The CCPA provides a private right of action to individuals in the event of a data breach that occurs as “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature and the information to protect the personal information.” As noted above, the private right of action provision, as it applies to job applicant and employment information, is not delayed until January 1, 2021; it still takes effect next January 1. Thus, organizations should work with their internal security team(s), or possibly external security contractors, to ensure that proper security measures are in place now.
C. Identify and Map Employment Data Given broad definitional terms within the CCPA—that now will apply January 1, 2021—a wide-range of employment-related data could be impacted by the CCPA. Accordingly, employers should consider conducting an organization-wide inventory of applicant- and employment-related data.
After identifying relevant employment-related data, entities should consider creating data maps to documents from where data came and with whom it is shared. Such information is helpful in responding to requests for access to and/or deletion of information.
D. Raise Awareness Across the Organization Now is the time to involve decision-makers and business leaders regarding the potential impacts of the CCPA as to employment data and information. Education may need to happen across all levels of an organization. For example, it may be necessary to train individuals involved in hiring regarding new processes for CCPA-compliance.
E. Implement Processes to Meet Individuals’ Rights Once the one-year moratorium expires on January 1, 2021, the CCPA will, arguably, allow job applicants and employees to:
- know what personal information is being collected;
- access personal information collected;
- request the deletion of personal information collected;
- know with which third parties personal information is shared; and
- while unlikely in the employment context, know if any personal information is being sold, opt out of such sale, and be compensated for the sale of personal information.
As applicable in the job applicant and employment information areas, employers may need to create policies and practices to allow for the execution of such rights.
F. Prepare to Respond to Individual Access Requests Once the one-year moratorium expires on January 1, 2021, employees may start requesting access to personal information. Responses to requests will be required within 45 days, so internal procedures will need to be dynamic and efficient. Employers should prepare for such requests, including determining procedures for receiving, processing, and responding to such requests.
G. Review Data Retention Schedules The CCPA provides that individuals can request access to information collected up to one-year prior to the date of the request. Employers therefore should review data retention schedules against this impending requirement.
As we have communicated since its passage in 2018, the CCPA will impose significant burdens on California companies. While AB 25 has delayed application of the CCPA to job applicant and employer information by one year, other parts of the law will become applicable to employers on January 1, 2020. Employers should use this time to prepare for compliance on January 1, 2021. The Paul Hastings Employment Law Department and Privacy Group are equipped to assist employers throughout this transition.