As we move closer to implementation of the California Consumer Privacy Act of 2018 (“CCPA”), companies should consider how the new law could affect their operations in multiple ways – including, for example, data collected through their employee benefit plans.
As we have previously reported, the CCPA applies broadly to any for-profit business that meets certain thresholds and that collects personal information regarding consumers. While use of the term “consumer” may suggest a particular type of relationship, the term is defined broadly to include any California resident – and as a result, in its current form the CCPA also will apply to information collected by covered businesses about their California employees. Whether the CCPA also applies to data collected about California residents under employee benefit plans of covered businesses will likely depend in part on the type of plan:
- Health Plans. As we have previously posted, the CCPA was amended in September 2018. One of the key changes made at that time was the addition of an exemption for protected health information (“PHI”) collected by a covered entity or business associate subject to the HIPAA privacy rules. Because employer-sponsored health plans are HIPAA-covered entities, any PHI held by a self-insured plan and subject to HIPAA will be outside the reach of the CCPA. The exemption also applies to PHI held by business associates, such as third-party administrators for health plans. However, certain other health-related information that is held by an employer outside of the health plan – such as information related to disability benefits or sick leave – is not covered by this exemption.
- Retirement and other ERISA Plans. The CCPA does not specifically address its application to benefit plans not covered by HIPAA. For plans that are subject to the Employee Retirement Income Security Act of 1974 (“ERISA”), such as 401(k) plans and other qualified retirement plans, it is possible that the CCPA could be preempted by ERISA – but unlike the health plan exemption, it is not clear from the statute.
- In general, ERISA preempts state laws that govern a central matter of plan administration or that impermissibly interfere with nationally uniform plan administration. For example, in its 2016 decision in Gobeille v. Liberty Mutual Insurance Company, the U.S. Supreme Court held that ERISA preempted a Vermont law requiring various entities, including self-insured plans and third party administrators, to report payments relating to health care claims and other information regarding health care services.
- The CCPA imposes new requirements regarding retention and deletion of personal information, and certain disclosures regarding use of personal information. Because reporting, disclosure and recordkeeping are key areas of regulation under ERISA, it is possible the law could be preempted on the basis that it impermissibly interferes with plan administration. In the absence of further guidance, however, it is not certain to what extent preemption would apply – and it is also possible that a court could find that ERISA preempts some aspects of the law but not others.
- Non-ERISA Benefits and Employment Practices. Even if the CCPA is ultimately determined to be preempted in the context of ERISA plans, it will still apply to data collection by an employer in its capacity as an employer, as well as data related to benefits and policies not covered by ERISA. This includes information collected by an employer in connection with administering vacation, sick leave, paid time off or leaves of absence. Other benefits that are generally not subject to ERISA include health savings accounts, dependent care flexible spending accounts, many short-term disability plans and certain voluntary benefits.
The California State Legislature is expected to consider more changes to the CCPA in 2019 – so we may receive more guidance about the application of the law in the employment context. In the meantime, employers and benefit plan sponsors subject to the CCPA will want to consider how the new law could apply to their own benefit plans and the data of their plan participants and beneficiaries. Since many plans are administered by third party record-keepers, employers and plan sponsors may also want to reach out to their vendors to ask about any plans being put in place to comply with the CCPA.