California Consumer Privacy Act: FAQs for Employers
03/07/19
Author: ADP Admin/Monday, March 4, 2019/Categories: State Compliance Update, California
California Consumer Privacy Act: FAQs for Employers
Overview: Data privacy and security regulation is growing rapidly around the world, including in the United States. The recently enacted California Consumer Privacy Act (CCPA) is intended to address some of these risks and concerns.
Effective Date: January 1, 2020
Details:
Data privacy and security regulation is growing rapidly around the world, including in the United States. In addition to strengthening the requirements to secure personal data, individuals are being given an increasing array of rights concerning the collection, use, disclosure, sale, and processing of their personal information. Meanwhile, organizations’ growing appetite for more data, and more types of data, persists, despite mounting security risks and concerns about permissible use. The recently enacted California Consumer Privacy Act (CCPA) is intended to address some of these risks and concerns.
The CCPA, which becomes effective on January 1, 2020, is in some ways the most expansive privacy law currently in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data, such as the right of access, the right of erasure (popularly known as the “right to be forgotten”), and the right to restrict the processing of personal data. In addition to mandating security for personal data, GDPR requires that individuals be notified of such things as the purpose and legal basis for processing their personal data, the categories of recipients of that data, and if the data has been breached. Many of these same principles are present in the CCPA.
The CCPA is certain to affect businesses across the U.S. and globally, and spur similar legislation in other states. In January 2019, a group of senators in Washington state, for example, introduced the “Washington Privacy Act,” SB 5376 (WPA). That bill would establish GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.
With the CCPA’s effective date fast approaching, regulations being prepared by California Attorney General Xavier Becerra’s office, and considering that certain provisions may reach back prior to the effective date, businesses need to begin preparing as soon as possible. These FAQs are intended to call attention to some of the pressing issues relating to the CCPA’s application to employee personal information, and highlight action items that can help businesses’ compliance efforts.
- What businesses do the CCPA apply to?
The CCPA will apply to any entity that does business in the State of California and satisfies one or more of the following: (i) annual gross revenue in excess of $25 million, (ii) alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers’ personal information.
Regulations may clarify one or all of these prongs, but some small businesses will not be able to escape the CCPA’s reach. The law is trying to reach businesses with significant amounts of data, and that could very well be smaller companies. Additionally, businesses with small operations in California that meet one of these requirements will have significant privacy obligations with respect to those operations.
- Does the CCPA apply to employment data?
The application of the CCPA to employee data remains an open question. On its face, the CCPA appears to apply only to California “consumers.” However, the CCPA’s definition of consumer (a California resident), combined with California’s longstanding practice of protecting individual privacy rights, suggests that the CCPA also may extend to the personal information of California residents maintained as part of the employment relationship. If so, this would include residents of California who are job applicants, full- or part-time employees, temporary workers, interns, volunteers, independent contractors, and even such persons’ dependent(s) or beneficiary(ies). For purposes of these FAQs, we refer to these individuals as “Workforce Members.” The definition of “consumer” states: “a natural person who is a California resident.” 1798.140(g). That definition is not qualified by requiring such natural persons to be purchasing goods or services from businesses subject to the CCPA. It includes all persons who are residents in California. Additionally, one of the examples for what constitutes “personal information” under the law is “[p]rofessional or employment-related information.” 1798.140(o).
On the other hand, the name of the law itself, and the fact that the law does not mention employers or employees, suggests that the legislature intended to protect the personal information of California residents in their role as consumers, and not employees (or Workforce Members). Additionally, prohibited discriminatory acts under the law include (i) denying goods or services, or providing a different level or quality of the goods and services, to the consumer, (ii) charging different prices or rates for goods or services, or (iii) suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. Unlike what one might expect for a law protecting Workforce Members, the CCPA does not include acts that relate to the employer-employee relationship.
So, perhaps the CCPA’s reference to professional or employment-related information intended to reach such data not in the hands of employers, but businesses handling such data for commercial purposes (such as a recruiting business). But, the CCPA has already been amended once. When those amendments were being considered, there was an effort to exclude employees from the CCPA’s reach. Those amendments, passed as SB 1121, made no change to the definition of “consumer” or any other change that would indicate an intention to exclude Workforce Members personal information from protection under that law.
Employers will have to wait and see whether there will be any additional amendments, or whether the Attorney General will clarify the issue through regulation. Currently, Attorney General Becerra is in the middle of six rulemaking workshops around the state in order to assist his office in formulating those regulations. Employers should watch these developments closely, but they also should consider taking some preliminary steps in order to be prepared to comply.
The remainder of this article assumes that the CCPA will be found to apply to Workforce Members data.
- What is personal information under the CCPA?
The CCPA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably linked directly or indirectly to a particular consumer or household. This might be a name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number or passport number, biometric information, bank account number or any other financial information, geolocation data, audio, electronic, or visual information, employment-related information, certain education information, or medical or health insurance information. It also may include inferences drawn from any such information used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. In the employment context, personal information is likely to be present in:
- A job application, resume, or CV;
- An employment contract or independent contractor agreement;
- A performance review or disciplinary record;
- A photo used for an identification badge or organizational chart, marketing, or website;
- Biometric data used for timekeeping or facility access;
- Backup files;
- Information from company devices or vehicles, including geolocation data;
- Browsing history or search history;
- Information used for payroll processing and benefits administration;
- Internal or external contact information maintained in the electronic onboarding, HRIS system, or Active Directory; or
- Information captured from video, audio, systems, or other forms of monitoring or surveillance.
Personal information also might include data collected about Workforce Members as part of an organization’s human capital analytics or talent management programs. As noted above, the law applies to information used to create a profile about a natural person who is a California resident that would reflect such person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. For organizations that use sophisticated analytics programs to assist their human resources department in recruiting and developing the best talent, CCPA could create some compliance challenges.
The CCPA does not apply in certain situations, some of which may be relevant in an employment context. For example, the CCPA does not apply to medical information governed by the Confidentiality of Medical Information Act (CMIA) or protected health information collected by a covered entity or business associates governed by the privacy, security, and breach notification rules of HIPAA/HITECH. Thus, the CCPA is unlikely to apply to a Workforce Member’s personal information accessed, created, or maintained in connection with the employer’s group health plan. Likewise, medical information that an employer receives in connection with a Family and Medical Leave Act certification, Americans with Disabilities Act reasonable accommodation, workers’ compensation claims, and so on, likely would not be subject to CCPA to the extent it is covered under the CMIA. See Cal. Civ. Code Sec. 56.20.
- If the CCPA applies to certain employers and their Workforce Member data, would it apply to personal information collected in connection with the administration of employee benefits?
Yes, but perhaps not to all of those employee benefits. If the CCPA applies to Workforce Member data, and considering the broad definition of personal information discussed above, data involved in the administration of employee benefits generally would be within the scope of that definition. However, the CCPA provides specific exemptions that may exclude certain benefit plan data from its reach; namely, plans subject to the HIPAA privacy and security regulations (such as medical plans, dental plans, and health flexible spending arrangements).
There are, of course, may other kinds of employee benefits, such as pension and 401(k) plans, life and disability insurance plans, tuition assistance programs, employee discount programs, wellness program, transportation fringe benefit programs, and others. However, some of these employee benefits may involve plans that are subject to the Employee Retirement Income Security Act of 1974 (ERISA), which preempts certain state laws to the extent those laws relate to ERISA-covered employee benefit plans. A complete discussion of ERISA preemption is beyond the scope of this article, but a significant purpose behind it is to promote uniform administration of benefit plans nationally, avoiding a state-by-state approach. The application of the CCPA, and similar laws in other states likely to follow, certainly would complicate the national administration of such plans.
- What rights would a Workforce Member have?
- What obligations do the notice and rights provisions of the CCPA place on businesses?
As discussed above, under the CCPA, covered businesses, including employers, will need to provide notice to Workforce Members that includes the types of personal information collected by the business and how it is used; the Workforce Member’s right to access that personal information; the right to delete the information; the right to know the third parties with whom it is shared; and the right to object to its sale to third parties, if applicable.
The CCPA also demands that covered businesses take steps to enable consumers to exercise these rights. Thus, for example, covered businesses will be obligated to make available two or more mechanisms for submitting requests for information required to be disclosed under the CCPA, including, at a minimum, a toll-free telephone number and, if the business maintains an internet web site, a web site address. When requests for information are made under the CCPA, businesses generally must respond to verifiable Workforce Member requests within 45 days. That period may be extended as long as the Workforce Member is notified within the first 45-day period. The response must cover the 12-month period preceding the receipt of the request. Responses must be in writing and the business is not required to respond to more than two requests for the same Workforce Member during a 12-month period. The CCPA requires that the employees designated to handle the responses to these requests receive training.
- Can a Workforce Member agree to waive his or her rights?
No. The CCPA specifically prohibits any contractual provision or agreement that attempts to waive or limit the CCPA’s rights, including the right to remedy or enforcement. As a result, any attempt to limit a Workforce Member’s rights, whether by employment contract, agreement, or policy, would be unenforceable.
- Where is Workforce Member personal information typically stored by organizations?
Protections under the CCPA apply to personal information regardless of its format. Thus, when thinking of where to look, employers should look broadly. For example, Workforce Member personal information can be stored in multiple locations, such as: a business’s electronic onboarding system, HRIS system or Active Directory; file shares or backup files; in benefits or training records; in file cabinets or on a copy machine’s hard drive; a manager’s “desk copy”; or with third party services providers, such as a payroll processor or travel agency. It is imperative that covered businesses review, assess, and understand their existing data storage practices.
- Does the CCPA require specific security safeguards to protect Workforce Member personal information?
The CCPA’s focus is on privacy of personal information and extending greater control to individuals concerning their data. However, security is an element of privacy and while the CCPA does not expressly require the implementation of specific security measures, it notes a business’s duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” To do so, organizations typically would need to conduct a risk assessment that reviews the types and sensitivity of its Workforce Members’ personal information, as well as the risks to the security and privacy of this information. If California employers have questions about specific safeguards for maintaining security, they can refer to the California Attorney General’s February 2016 Data Breach Report, which discusses best practices for data safeguarding. Employers should be aware similar frameworks are mandates in other states, such as Colorado, Massachusetts, and Oregon.
- Can a covered business be sued for violating the CCPA?
The CCPA authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach. The definition of personal information for this purpose is much narrower than the general definition of personal information under the CCPA. Here, the CCPA incorporates much of the definition of personal information under the California breach notification law. See Cal Civ. Code Section 1798.81.5(d)(1)(A). What should be troubling for covered businesses is that, if successful, a plaintiff can recover damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. Thus, in addition to notifications a covered business may have under the state’s breach notification law, class action lawsuits brought pursuant to this provision of the CCPA could be very costly.
Before a Workforce Member would be able to bring a lawsuit following an employer’s data breach, he or she must provide the employer 30 days’ written notice identifying the specific provisions of the CCPA that were violated. If cure is possible, and if within the 30 days the employer actually cures the noticed violation and provides an express written statement that the violations have been cured and that no further violations shall occur, the Workforce Member would not be able to pursue the action for individual statutory damages or classwide statutory damages. The Workforce Member still could seek actual pecuniary damages suffered as a result of the alleged violations.
- What happens to Workforce Member personal information if the business is acquired?
Workforce Member personal information may be part of business assets that are transferred to a third party in the course of a merger, acquisition, or bankruptcy when the third party assumes control of all or part of the business. This type of transfer is not deemed a sale of personal information for the purposes of the CCPA. Notwithstanding, if the third party materially alters how it uses or discloses the Workforce Member’s personal information and that use or disclosure is a materially inconsistent with the notice provided to the Workforce Member at the time of collection, the third party must provide the Workforce Members with prior notice of the changed practices.
- Does the CCPA apply if a Workforce Member is no longer a resident of California?
In the event a Workforce Member moves or is transferred to a location outside of California, depending on the facts, the Workforce Member may no longer be a resident of California and his or her personal information will no longer be protected by the CCPA. Notwithstanding, the Workforce Member’s personal information may be protected by other laws and the organization may still have the same, or even heightened, obligations to safeguard the Workforce Member’s data. Employers should consider this and similar issues when drafting notices for employees concerning their rights under the CCPA. For example, if a notice extends rights to an “employee” and not an “employee who is a California resident,” a transfer that would change the person’s residency may not change the rights extended in that notice.
- How does the CCPA interact with federal, state, or local laws?
The CCPA specifies that its obligations are a matter of statewide concern in California and supersede and preempt all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the collection and sale of a consumer’s personal information by a business.
However, the CCPA also specifies that its obligations shall not restrict a business’s ability to comply with federal, state, local laws, or regulations. In addition, while the CCPA is drafted to supplement federal and state law, it shall not apply if it is preempted by or in conflict with federal law, the United States Constitution, or the California Constitution. To determine which laws or regulations will govern, an organization will need to identify all the purposes for which Workforce Member information is collected, processed, and retained. For example, the federal Fair Labor Standards Act (FLSA) expressly requires the retention of employee identifying information for a specified period of time. These requirements would preempt the employee Workforce Member’s ability under the CCPA to request deletion of certain personal information that must be retained to satisfy compliance under FLSA. Similarly, as discussed above, ERISA includes certain recordkeeping requirements relating to an employer’s employee benefit plans. Specifically, section 209 requires that an employer maintain employee records sufficient to determine benefits. Again, an employee Workforce Member’s request for deletion of certain personal information may be information subject to ERISA retention requirements. In such a case, the employer’s obligations under CCPA would yield to ERISA’s requirement.
Action Required: While it is presently unclear whether the CCPA will apply to Workforce Member personal information, the question has been raised and efforts to remove Workforce Member data from the CCPA’s reach have thus far been rejected. Regulations from the California Attorney General’s office may provide some clarity on this point. It is also reasonable to believe further guidance or amendments from the California legislature may be forthcoming.
As always, ADP will monitor the status of the CCPA and keep clients apprised of any additional amendments or regulations issued.
*Produced in partnership with Jackson Lewis P.C.
Number of views (6963)/Comments (0)