April 18, 2019
Authored by: Sarah Bhagwandin, Steve Evans and David Zetoony
In the coming weeks we will be releasing a series of FAQs examining the California Consumer Privacy Act (“CCPA”) of particular importance to employers. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.
By way of background, employers with operations in California should be aware of the CCPA, a new privacy law that applies to data collected about California-based employees. Because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees. Please see our recent blog post summarizing the CCPA for employers.
The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now. For U.S. employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies.
For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.
BCLP also offers a complete compliance program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.
Question 1: Does the CCPA apply to employee data?
The CCPA protects the data collected of “consumers”. While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service, the definition ascribed by the CCPA is far broader. The term is defined to include any “natural person who is a California resident.” Read literally, the phrase includes not only individuals that consume a product (e.g., a customer of a store), but also that store’s California-based employees, and California-based business contacts or prospective customers. The statute’s application to employee data is further confirmed by the fact that “personal information” is expressly defined to include “employment-related information.”
Employers with operations in California and with California-resident employees will need to review and prepare for the following to comply with the CCPA:
- 1. The CCPA’s expansive definition of “personal information”;
- 2. The CCPA’s new notice requirements for California-based employees, which notices describe the employer’s collection of and use and disclosure of personal information;
- 3. The CCPA’s new data privacy rights for California-based employees, including the right to access, delete, and opt out of the “sale” of personal information;
- 4. The CCPA’s special rules for the collection and use of personal information of minors;
- 5. The CCPA’s requirement to implement appropriate and reasonable security practices and procedures;
- 6. The CCPA’s enforcement provisions, including a statutory damages framework; and
- 7. The CCPA’s private right of action for employees.
Comparison of Terms used in other data privacy laws:
The data privacy and security laws in the United States use different terms to describe the individuals about whose information the laws apply. These include terms such as “covered person,” “individual,” and “customer.” The term used in a particular statute is less important than is its definition. For example, two statutes may use the term “individual,” but one may define it as referring to all natural persons whereas another may define it as only referring to natural persons that are resident within the state. As another example, one statute may use the term “covered person” while another uses the term “individual” and yet they define the terms in an identical manner.
In contrast to the diverse terminology utilized within United States statutes, the European GDPR, and many EU Member State statutes implementing the GDPR, consistently uses the term “data subject” which is defined broadly as any “identified or identifiable natural person” and has been expressly interpreted as including employees.
Looking past the different terms to the content being regulated will assist an employer in determining its compliance needs and adjusting its current notices, policies and procedures as necessary.