Meet the CCPA: New Privacy Rules for California Employees

Employers with operations in California should be aware of the California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California-based employees.   HR professionals should be aware that, although the CCPA refers to “consumers,” as currently drafted the CCPA’s definition of a “consumer” will apply to California-based employees.

Which employers will have to comply with the CCPA?

Employers with employees in California will need to comply with the CCPA if their business falls into one of the following three categories:

1. Their business buys, sells, or shares the “personal information” of 50,000 “consumers” or “devices”;

2. Their business has gross revenue greater than $25 million; or

3. Their business derives 50% or more of its annual revenue from sharing personal information.

What are the key implications of having to comply with the CCPA?

The Employers who have to comply with the CCPA will be subject to the CCPA’s:

1. Expansive definition of “personal information”;

2. New notice requirements for California-based employees, which notices describe the employer’s collection of and use and disclosure of personal information;

3. New data privacy rights for California-based employees, including the right to access, delete, and opt out of the “sale” of personal information;

4. Special rules for the collection and use of personal information of minors;

5. Requirement to implement appropriate and reasonable security practices and procedures;

6. Enforcement provisions, including a statutory damages framework; and

7. Private right of action for employees.

The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For employers who have not had to comply with the European Union’s General Data Protection Regulation (“GDPR”), the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies. Employers who have had to comply with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

In the coming weeks and months we will be releasing a series of articles that will help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

BCLP has also published a human resources specific Practical Guide to the CCPA, which provides an overview of the law and its requirements.  In addition, for employers subject to the CCPA, BCLP offers a complete compliance CCPA program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.