Currently, data collected from “employees”―which also includes job applicants, business owners, directors, officers, medical staff or contractors, emergency contacts and beneficiaries―is exempt from all but two provisions of the CCPA.
The California Consumer Privacy Act (CCPA) established the strictest data privacy law in the United States. Although a California law, it applies to many businesses outside the state that meet the qualifying criteria and collect personal information from residents of California. For the last two years, employers have benefited from a partial exemption under this law for all employee data. That exemption will end on December 31, 2022. Although there were two separate bills seeking to continue that exemption for an additional three years (AB 2891) or indefinitely (AB 2871), neither was passed by the Legislature in its final 2022 session. As a result, employers will need to comply with all requirements of the CCPA effective January 1, 2023.
What Obligations Do Employers Have Now?
Currently, data collected from “employees”―which also includes job applicants, business owners, directors, officers, medical staff or contractors, emergency contacts and beneficiaries―is exempt from all but two provisions of the CCPA: (i) employers must provide an initial disclosure to all employees at or prior to the point of collection, and (ii) employees still have a right to statutory damages in the event of a data breach. These rights will apply to any businesses with employees in California that meet the qualifying criteria.
What Rights Will Be Granted to Employees on January 1, 2023?
An employer’s collection, use, retention and sharing of personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed or for another compatible purpose that has been disclosed to the employee.
Most notably, once the employee exemption sunsets at the end of the year, the CCPA will provide employees with the following key privacy rights:
Right to Access
Employees will have a right to request access to their personal information and information about how automated decision technologies work and what their likely outcomes are. Such information must be provided free of charge. If provided electronically, it must be portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit their information to another entity without hindrance.
Right to Correct
Employees will have the right to request that a covered employer use commercially reasonable efforts in order to correct inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
Right to Delete
Employees will have the right to request that a covered employer delete their personal information, subject to several broad exemptions. Employers that receive verifiable requests to delete personal information must notify service providers and contractors to delete the personal information from their records. Employers must also notify third parties to whom they have sold or shared such personal information of the consumer’s request to delete, unless doing so would prove impossible or involve disproportionate effort.
Right to Know
Employees will have the right to know (through a general privacy policy and with more specifics available upon request):
-
- The categories of personal information collected.
- Specific pieces of personal information collected.
- The categories of sources from which the business collected personal information.
- What the personal information is being used for (the business purpose).
- The categories of third parties with whom the business shares the personal information.
- The categories of information that the business sells or discloses to third parties.
Right to Opt Out
Employees will have the right to “opt out” of having their personal information sold to or shared with third parties.
-
- “Selling” is broadly defined and includes sharing or disclosing personal information for monetary compensation or other valuable consideration.
- “Sharing” is defined as disclosing or making available personal information to third parties for “cross-context behavioral advertising,” regardless of whether money is exchanged.
Employees also have the right to opt out of the use of automated decision-making technology, which may include candidate screening and assessment software.
Right to Limit the Use and Disclosure of Sensitive Personal Information
Employees also have the right to limit the use and disclosure of sensitive personal information to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services,” subject to certain exemptions.
What Employers Are Covered Under the CCPA?
The CCPA does not cover all businesses. It applies to for-profit entities doing business in California that collect personal information from California residents and meet one of the three criteria as updated and effective January 1, 2023:
- Have annual gross revenue in excess of $25 million;
- Alone or in combination, annually buy, receive, sell or share for commercial purpose the personal information of more than 100,000 consumers, households or devices; or
- Derive 50 percent or more of annual revenue from the sale of personal information.
What Are the Penalties?
Covered businesses will no longer automatically get notice and a 30-day cure period that currently applies to CCPA enforcement by the California attorney general.
Now, the newly formed California Privacy Protection Agency will enforce the CCPA through civil penalties for intentional violations up to $2,500 per unintentional violation, or $7,500 per intentional violation or violations involving consumers under 16 years of age.
For data breaches, the CCPA also provides the right to bring a consumer class action lawsuit, with statutory damages between $100 and $750 per California resident, per incident, if certain categories of personal information are compromised as a result of failure to implement reasonable security measures.
Key Steps for Compliance
Employers must, among other things, consider the following key steps for compliance.
- Determine whether the CCPA applies to your business and, if so, whether you have employees that reside in California.
- Conduct a data inventory to identify all personal information that the organization has and map all connected data flows.
- Draft a full employee privacy policy with required disclosures, description of rights and how to exercise those rights.
- Develop procedures for handling data requests for employees and train key employees on how to handle such requests.
- Update agreements for all service providers and contractors with access to personal information.
- Develop data governance policies to address new categories of sensitive personal information and ensure that collection, use, retention and sharing is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, and to identify the criteria that will be used to determine how long employee data is retained.
- Review information security programs, conduct updated risk assessment to close any gaps, and consider whether a privacy impact assessment is needed.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, any of the attorneys in our California Consumer Privacy Act, any of the attorneys in our Employment, Labor, Benefits and Immigration Practice Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.