The California Consumer Privacy Act (“CCPA”) takes effect on January 1, 2020 and imposes a wide range of new requirements for the collection and processing of personal data of California residents. Under the CCPA, “consumer” is defined broadly as a natural person who is a California resident. Assembly Bill 25 (“AB 25”), signed into law on October 11, 2019, provides a temporary and limited reprieve for employee data by establishing an exemption to the CCPA’s requirements to provide rights of access, correction and opt-out of sale of personal information for California residents who are job applicants, employees, owners, directors, officers, medical staff or contractors (collectively, “employees”). The exemption applies only to the extent that an employee’s personal information is collected and used solely within the context of such individual’s role as an employee and only until December 31, 2020.
Even with this exemption, the following two CCPA requirements apply as of January 1, 2020:
- At or before the point of collection of any personal information, companies must notify California resident employees of (i) the categories of their personal information collected, and (ii) the purposes for which such personal information will be used (see Section 1798.100(b)). With respect to (i), collection of new categories of personal information requires a new, revised notice to be provided to the employee. With regard to (ii), companies may not use personal information for any additional purpose not specified in the initial notice without first disclosing such use to the employee and obtaining the employee’s express consent to such additional use.
- California resident employees have a private right of action if their non-encrypted or non-redacted personal information is affected by a data breach via unauthorized access and exfiltration, theft, or disclosure, where the breach is caused by a company’s failure to implement and maintain reasonable security procedures (see Section 1798.150).
Companies with employees in California will need to adopt procedures to provide a CCPA-compliant privacy notice to such employees on January 1, 2020, with a look back to January 1, 2019 – i.e., companies must disclose how they collected and used employee information in 2019. Such notices will need to be broad enough to capture all of the specific categories of data that companies need to collect with regard to the employment relationship and all applicable compensation and benefits arrangements. For example, to the extent that companies are granting equity awards to California resident employees, such privacy notices will need to include any specific categories of employee personal information needed to make and administer such grants. Because the notice must be provided “at or before” the point of collection of the data, it will generally need to be provided in advance of the issuance of equity awards or other benefits. However, companies should include in equity award agreements or other compensation and benefits plan agreements an acknowledgment that employees have received the privacy notice required by CCPA.
As noted, the limited exemption under AB25 will be valid for only one year and expires on January 1, 2021. After the expiration of the exemption, companies will be subject to the full requirements of the CCPA with respect to employee data. For details on the full scope of the CCPA, please refer to the following alert published by our partner Lothar Determann.