With the May 25, 2018 effective date of the European Union’s General Data Protection Regulation (GDPR) barely in the rear-view mirror, California’s Governor Jerry Brown, on June 28, 2018, signed into law the “California Consumer Privacy Act of 2018”1 (CCPA or “the Act”). The law flashed onto the scene after a concerned and wealthy California citizen funded, and obtained the approval of, a ballot initiative for a similar law to be placed on the November 2018 electoral ballot. The initiative’s backer used that approval as leverage in the waning days of June to force the California government to enact an alternative law in exchange for his withdrawal of the initiative from the November 2018 ballot before the June 30 publication deadline. The CCPA is aimed at granting individuals more control over their personal information and more insight into how businesses use and disclose their personal data.
By its name and its stated purpose, the CCPA ostensibly is only consumer protection legislation with a focus on e-commerce. The Act’s legislative findings highlight the revelations in March 2018 that “tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica.”2 The findings then express the “intent of the Legislature to further Californians’ right to privacy by giving consumers an effective way to control their personal information, by ensuring the . . . rights” established by the Act.3
The Act is written so broadly, however, that it could be read to confer rights on employees vis-à-vis their employers with respect to their personnel records. In this article, we describe how the Act creates this confusion, explain why the Act likely is not intended to be read so broadly, and identify the practical implications for employers if the Act were read to apply to their personal records. Fortunately, the Act does not go into effect until January 1, 2020, giving the California legislature time to amend and clarify a piece of legislation that was hastily drafted and rushed to Governor Brown’s desk for signature.
Does the CCPA Confer New Rights on Employees With Respect to Their Personnel Records?
While the Act’s name and legislative findings leave no doubt that the CCPA is a consumer protection law, other aspects of the Act could be read to suggest that it also confers rights on employees, and burdens on employers, with respect to personnel records. To begin with, the Act defines “consumer” without reference to the relationship between the individual and the entity that collects the individual’s personal information. Instead, the Act defines “consumer” broadly to include employees, i.e., “a natural person who is a California resident . . . however identified, including by unique identifier.”4 At the same time, the Act’s definition of “personal information” includes “professional or employment-related information,”5 which arguably could include an employer’s personnel records. The legislative findings specifically cite “apply[ing] for a job” as one of the activities that is “almost impossible to do . . . without sharing personal information” to support the need for the legislation.6 Moreover, nowhere does the Act either state that it applies only to personal information, collected in the course of a consumer transaction or expressly exclude “personal information” collected by an employer about its employees for employment purposes.
Despite these ambiguities, several aspects of the Act strongly suggest that California’s legislature did not intend to confer new rights on employees vis-à-vis their employers with respect to their personnel records. As an initial matter, neither the legislative findings nor the Act itself ever uses the word “employer” or “employee”; instead, the findings reference only “consumers” and “businesses.” Furthermore, the Act defines “business” by reference to the entity’s annual gross revenue; the number of consumers, households or devices about which the entity processes personal information; or the percentage of the entity’s annual revenue derived from selling consumers’ personal information.7 By contrast, employment laws almost uniformly define an employer by reference to the number of the entity’s employees.8
The Act’s requirement to notify consumers of their right to opt out of the sale of their personal information, one of the central new rights conferred on consumers, also supports the conclusion that the CCPA is not intended to address the personal information collected during the employment relationship. The Act mandates delivery of that notice through the business’ publicly facing “Internet webpage.”9 That method of notification would be anomalous in the employment context where mandatory notices to employees customarily are delivered by physically posting them in the workplace, delivering them directly to employees, or including them in an employee handbook.10
The Act’s anti-discrimination provisions also appear to demonstrate the legislature’s intent not to regulate records management in the employment context. That provision prohibits businesses from discriminating against consumers who exercise their rights under the Act by denying service, charging different prices, or providing a lower-quality product.11 Had the legislature intended the Act to regulate the collection of personal information during the employment relationship, it almost surely would have prohibited a business from discriminating in the terms or conditions of employment against consumers exercising their rights.
Finally, the Act’s protections expressly extend to consumers under the age of 16, with additional protection for minors under the age of 13.12 With the exception of child labor laws, few if any laws relating to the employment relationship provide specific provisions for minors, especially those under 13.
Taken together, these points demonstrate the CCPA almost surely is not intended to confer rights on employees vis-à-vis their employers with respect to personnel records.
Practical Implications for Employers if the CCPA Were Applied to Personal Information Collected in the Context of the Employment Relationship
While it is unlikely that the Act applies to personal information collected in the context of the employment relationship, employers still should consider the Act’s practical implications in the event the legislature does not amend the CCPA before it goes into effect to clarify that the new law does not confer rights on employees with respect to employment records maintained by their employer. The Act confers the following new rights on consumers: (a) the right to access personal information collected by the business;13 (b) the right to information about the business’ collection, sale, and other disclosure of the consumer’s personal information collected by the business;14 (c) the right to request deletion of personal information collected by the business;15 and (d) the right to opt out of the business’ sale of the consumer’s personal information.16 Of these rights, the right to access, if applicable, has the potential to be highly burdensome; the right to information should be manageable; and the deletion and opt-out rights should have minimal impact.
Under the right of access, a business is required, within 45 days of receiving a consumer’s verified request, to provide all personal information collected by the business, free of charge. Given the breadth of the Act’s definition of “personal information,” many employers would be challenged to compile all information falling within the scope of a request. More specifically, the access request could encompass the following categories of personal information:
- All identifiers related to the employee, including, for example, Social Security number, driver’s license number, passport number, and contact information;17
- Physical characteristics or description, insurance policy number, education, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;18
- “Biometric information,” such as that collected through a biometric time clock;19
- “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement,” which would encompass a substantial amount of the information collected by many employers through standard workplace monitoring;20
- “Geolocation data,” which arguably could include information collected by employers through GPS units in company-owned vehicles as well as location information collected through applications downloaded by field employees to their company-issued mobile devices;21 and
- “Professional or employment-related information,” which effectively would include everything in an employee’s personnel file.22
Fortunately for employers, there are several important limitations to this right. Most notably, it would apply only to entities falling within the Act’s definition of “business,” meaning businesses with annual gross revenue exceeding $25 million; that maintain information on more than 50,000 consumers, households or devices; or that derive more than half their annual revenue from the sale of personal information.23 In addition, the right of access covers only the 12 months preceding the verified request, limiting the burden of responding to requests by long-term employees.24 Finally, the Act provides that the rights afforded consumers “shall not adversely affect the rights and freedoms of other consumers.”25 Consequently, an employer would not be required to provide an employee with access to information the disclosure of which could be detrimental to co-workers.
The right to information about collection and disclosure of personal information requires that a business, in response to a consumer’s verified request, provide a report listing all types of personal information collected, the purposes for which the information will be used, the categories of sources for the collection, and any disclosure of that personal information. This right is subject to the same limitations as the right of access.26
In comparison to the access and information rights, the right to opt out of sales of information and the right to delete information should have minimal impact on employers. Employers rarely, if ever, sell employees’ personal information to third parties other than in the course of a merger or acquisition. Yet the Act’s definition of “sale” in connection with consumers’ personal information expressly excludes such corporate transactions.27 Consequently, even if an employee were to exercise this right with respect to personal information in employment records, the opt-out would have no practical effect.
The right to deletion is subject to several exceptions that similarly minimize the right’s impact as applied to personal information collected for employment purposes. First, the right does not apply to personal information the business must retain to comply with a legal obligation.28 Employment records typically include substantial amounts of personal information that employers are legally required to retain, such as payroll records subject to the Fair Labor Standards Act’s three-year retention period and the obligation under IRS regulations to retain tax records for four years.29 The Act also excludes from the right to deletion any personal information that the employer needs: (a) “[t]o enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business”; and (b) “[o]therwise [to] use . . . , internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”30 While the Act does not define “internal use” or “internally,” those terms can reasonably be construed to encompass administration of the employment relationship.
Putting aside individual rights, employers should take particular note of the Act’s provision related to data security breaches, which could have a significant impact on employers subject to the CCPA. The provision states that where a consumer’s personal information is disclosed through unauthorized means, stolen, or otherwise hacked as the result of the business’ failure to implement reasonable security procedures, the consumer has a civil cause of action against the business and can recover statutory damages, on a class basis, of between $100 and $750 per affected consumer per incident. However, before filing suit, the consumer must give the business written notice of the alleged violation and 30 days to cure.31 This provision creates a significant incentive for employers to review their information security practices and to address any deficiencies before the Act goes into effect.
While the California Consumer Protection Act of 2018 provides broad privacy protections for consumers, the Act likely does not apply to personal information collected by employers for employment purposes. The California legislature may amend the Act before its January 1, 2020 effective data to clarify whether it applies to employers. Employers should watch out for such a development. If the legislature were to specify that the Act does apply to employers, the access and information rights would impose significant burdens, and the right to recover statutory damages in the event a data breach resulting from a failure to implement reasonable information safeguards would expose employers to substantial litigation risk and monetary exposure. Consequently, any clarification that the Act applies to employees’ personal information collected in the context of the employment relationship would be a call to action for employers falling within the scope of the Act.