California continues to lead the way on privacy and cybersecurity legislation with the enactment on June 28, 2018, of the California Consumer Privacy Act (“Privacy Act” or “Act”). The Privacy Act joins other California laws safeguarding California residents’ privacy rights under the California Constitution. Also, the Act adds to the steadily expanding number of state laws, including the laws of New York, Illinois, and Massachusetts, providing for the privacy and cybersecurity of personal information. The Act becomes effective on January 1, 2020, to afford California businesses sufficient time to achieve compliance.
It is not surprising that the Privacy Act’s enactment comes one month after the effective date of the European Union’s General Data Protection Regulation (“GDPR”). Nor is it surprising that the Act follows the recent congressional investigation into Cambridge Analytica’s apparent misuse of personal information stored on Facebook. The Act was enacted in response to private efforts by an organization called Californians for Consumer Privacy to place on the November 2018 ballot a statewide initiative titled the “Consumer Right to Privacy Act of 2018.” This effort reportedly resulted in more than 600,000 supporting signatures.
The Privacy Act applies to any for-profit business that (i) collects personal information on California residents, (ii) does business in the state of California, and (iii) satisfies one or more of the following thresholds: (a) has annual gross revenues in excess of $25,000,000; (b) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Businesses that hit the thresholds will be covered even if they are located outside the state of California.
The Privacy Act establishes the rights of Californians:
- to know what personal information is being collected about them;
- to know whether their personal information is sold or disclosed and to whom;
- to say “no” to the sale of their personal information;
- to access their personal information collected and receive a copy;
- to be free from discrimination for exercising their privacy rights;
- to the deletion of their personal information, subject to certain exceptions; and
- to bring a private right of action if certain personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable cybersecurity procedures and practices.
Does the Privacy Act Cover the Personal Information of Employees?
While the Privacy Act is ostensibly a consumer protection statute, its requirements, on their face, apply in the employment context. The Act defines a “consumer” as “a natural person who is a California resident . . . however identified, including by a unique identifier.” Although the Act does not mention employees specifically, no provision excludes them from coverage. The Act, therefore, apparently protects the personal data of any employee who is domiciled in the state of California or who is in the state other than for transitory or temporary purposes.
There are legislative references indicating that the Act may protect an individual’s privacy rights in the collection of personal information in the workplace. The Legislative Counsel’s Digest to the Act highlights the sharing of personal information with a potential employer as covered under the Act: “It is almost impossible to apply for a job, raise a child, drive a car, or make an appointment without sharing personal information.” In addition, the Act includes “professional or employment-related information” as protected personal information. The California Chamber of Commerce has recognized the apparent inclusion of personnel-related information and recently issued an alert stating that “the bill provides ‘consumers’ with the right to request that a business delete their personal information, but the definition of consumer is so broad that it could apply to employees of a business.”
The Act also has a number of similarities to the GDPR (e.g., the right to notice of collection of personal data and the right to be forgotten), which applies in the employment context. Absent clarification by the California Legislature to exclude employers from the Act’s coverage in advance of the effective date, or subsequently by the courts, the Act will apparently extend additional privacy rights to California employees in connection with the collection by employers of their personal information. This conclusion is reinforced by the Act’s reference to the various statutes already on the books effectuating Californians’ constitutional right to privacy, including existing privacy and cybersecurity protections in the workplace, and the mandate that “the provisions of the law that afford the greatest protection for the right of privacy of consumers shall control.”
What Personal Information Is Covered?
The Privacy Act defines “personal information” as names and other individual personal identifiers, but also more broadly includes “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The following types of information that an employer may collect or process on job applicants or employees will fall within the definition of “personal information”:
- name, address, and telephone number;
- Social Security, passport, or drivers’ license number;
- email address;
- unique identifiers, such as Internet Protocol address, user identification number, or persistent cookies that may identify an individual;
- educational, professional, and employment-related information;
- financial or bank account information;
- medical or health insurance information of employees that is not protected health information (“PHI”) regulated by California’s Confidentiality of Medical Information Act or by the Health Insurance Portability and Accountability Act’s (“HIPAA’s”) privacy, security, and notification rules;
- characteristics of protected classifications under California or federal law (e.g., requests for accommodation that disclose a disability);
- biometric information; and
- any “inferential information” that may be drawn from any of the information collected to create a profile reflecting the individual’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Information that is “publicly available information” (i.e., information already made available from federal, state, or local records) does not constitute personal information. The Privacy Act also does not apply to the collection or sale of personal information if “every aspect of the commercial conduct takes place wholly outside of California.”
Although PHI is exempted, health care companies that otherwise collect personal information are subject to the Act’s requirements.
What Notices and Responses to Individual Requests Are Required?
The individual’s privacy rights are implemented under the Act through required notices and disclosures. A business that collects personal information must, at or before the point of collection, inform the individual in writing of the categories of personal information to be collected and the business purposes for which the categories of personal information will be used. The individual must also have the right to receive, upon request, a written disclosure of the categories and specific pieces of personal information that the business has actually collected, the categories of sources from which the personal information is collected, the business purpose for collecting (or selling) the personal information, and the categories of third parties with whom the business shares personal information. If the personal information was shared with third parties, the individual has the right to know the categories of third parties with whom the business shares personal information and the business purpose for disclosing the information. The business must, at a minimum, provide a toll-free number for an employee to make the request, and, if it maintains a website, a website address.
Does the Privacy Act Provide for a Right of Deletion of Personal Information?
A consumer must have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer. A business may refuse the request, however, in certain circumstances, including to comply with regulatory or other legal obligations requiring the information’s retention. The business may also refuse the request if it maintains the information for internal purposes in a lawful manner that is compatible with the context in which the information was originally provided. In the employment context, the exceptions to an employee’s right to request deletion may frequently permit the employer to continue to retain the records despite the request.
What California Employers Should Do Now
California employers should:
- plan for compliance while watching for any legislative or regulatory clarification in the coming months that may exclude the collection of employee personal information;
- identify the categories of employment-related personal information that fall within the Act and how the information is collected and processed;
- pinpoint the computers and information systems (e.g., laptops, servers, databases, cloud-based repositories, and communications systems) that process personal information and employment roles that have access to the personal information;
- identify any third-party vendors or business partners that maintain personal information of employees or applicants;
- determine the associated business reasons for the collection and processing of the “in scope” information falling within the Act’s definition of “personal information”;
- assess the value of the personal information collected and determine whether certain information may be excluded from collection on a going-forward basis because of the lack of a compelling business purpose;
- identify the policies, procedures, and technology that must be implemented to achieve compliance as to the “in scope” personal information and systems (e.g., updated privacy policies, revised employee handbooks, notices regarding inquiries about current and prior employees’ employment history, benefits forms, just-in-time website notices, or other disclosures that will be needed at the time the information is provided), and consider privacy by design and policies, procedures, and technologies to evaluate and implement individual requests for the deletion of personal information across systems, when required;
- set up a hotline and process to quickly address and resolve complaints;
- identify any cybersecurity protections that may need to be applied to protect personal information within the data breach and private right of action provisions of the Act, including the 20 controls in the Center for Internet Security’s Critical Security Controls;
- speak to insurance brokers and insurance companies regarding purchasing cybersecurity insurance given the Act’s private right of action; and
- develop a plan to curtail the collection of personal information or to ensure compliance as of the January 1, 2020, effective date.