As you likely know, enforcement of the California Consumer Privacy Act (CCPA) officially begins July 1, 2020. What you may not know, though, is the impact that CCPA will have on employees and their information and that a second round of requirements (effective Jan. 1, 2021) extend employee rights beyond the current requirements.
Comparisons to the EU’s General Data Protection Regulation (GDPR)
While there are many similarities, CCPA extends many of the consumer’s rights beyond those defined in GDPR and significantly extends the types of data that can be in scope for CCPA compliance. CCPA defines eleven (11) categories of personal information (PI):
|Identifiers||Select Information in Customer Records|
|Legally Protected Characteristics||Commercial Purchasing Information|
|Biometric Information||Internet or Network Activity|
|Geolocation||Information Typically Detected by the Senses|
|Employment Information||Education Information|
|Inferences from Any/All of the Above Used to Profile|
However, the definition of PI is not necessarily limited to these categories. Under CCPA, it includes anything that identifies, can be related to, describes, is able to be associated with, or might be reasonably linked, either directly OR indirectly, with a specific consumer OR household. This means that there is potentially an extremely large set of data that can be considered PI under the CCPA.
Note that this definition of PI does not include deidentified or aggregate consumer information and publicly available information, which is defined as information lawfully made available from federal, state, or local government records.
In terms of consumer rights, CCPA is actually very similar to GDPR. Consumers have the right to request that:
- A company disclose to the consumer the categories and specific pieces of PI the company is collecting or has collected over the past twelve months (including any information from third parties with whom the data is shared)
- A company not sell their data (note: the term “sell” is broadly defined)
- Their data be deleted
- Their data be transferred (data portability)
- They may be opted out of data collection
However, unlike GDPR, under CCPA consumers do not have the right to request:
- Rectification of their data
- Restrictions on their data usage be implemented
Additionally, CCPA places slightly modified age limits on authorization for data collection. Whereas GDPR requires parental consent for those under 16 years old, CCPA lowers that to 13 years old. Ages 13-16 requires explicit written consent from the individual under CCPA.
Employee Rights Under CCPA
One significant area that has not yet received much attention in the press is the fact that CCPA applies equally to company employees, giving them many of the same rights as those of consumers. The CCPA PI is defined so broadly that it covers all information collected, maintained, or shared about job applicants, employees, and their family members or dependents that might identify the individual or be used in conjunction with other information to identity the individual.
In order to allow time for employers to prepare fully for this requirement, Assembly Bill 25 (AB-25) was signed into law. This statute exempts employers from compliance with CCPA requirements related to their employees until January 1, 2021, provided that employers are ONLY collecting the data of employees and job applicants for purposes relating solely to employment. This would include, for example, the name of an employee in conjunction with the state or federal protected category they are in (such as age, race, gender, sexual orientation, religion, disability, etc.). However, it may also include network or internet activity logs on company computers assigned to employees that show user activity such as search and browser history. Additionally, the definition of PI lists “professional or employment-related information” without any further definition or parameters of what that entails.
Covered employee information potentially could include, for example, personnel files, payroll records (pay stubs, timesheets, direct deposit information, tax withholding information, etc.), health insurance records, workers’ compensation files, and training records. If a company provides its employees any company computers or devices and collects information about their internet usage or geolocation information (to track where they go with company-issued devices), this information is likely also subject to the CCPA.
There are some exceptions, but they are limited in scope rather than being fully exempt from the CCPA. A HIPAA-covered entity, for example, is exempt from the CCPA with respect to patient information that is maintained in accordance with HIPAA regulations, but it is NOT exempt with respect to the data of its California-based employees and job applicants. Similarly, a consumer credit reporting agency or background check company is exempt from the CCPA with respect to information in consumer reports that it compiles and provides to its clients, but it is NOT exempt with respect to the data of its own California-based employees and job applicants.
Final Thoughts on CCPA
Compliance with CCPA is not a simple job, and most companies will need to undertake significant measures to prepare for CCPA compliance. Documentation is critical to the success of CCPA compliance; it defines all aspects of consumer data management and is the singularly most important method to prove compliance with consumer requests. Additionally, a comprehensive data mapping of the entire organization should be undertaken in order to ensure that ALL uses of PI are located and documented. Automated tools to handle aspects of compliance and governance requirements may be needed to ensure continuity of compliance over time and to assist in the documentation management processes.
It is likely that the California Attorney General will be aggressive in pursuing violators, since the fines for non-compliance help fund the program (estimated to cost $50MM per year). Even with fines of up to $7500 per record (1,000 records = $7.5MM fine), it will require a lot of successful cases to fund the enforcement program.
Companies that are not currently compliant have a rapidly shrinking window in which to achieve compliance before enforcement begins.