By Usama Kahf, Partner, Fisher Phillips
Thanks to recent negotiations among state lawmakers, it appears that California employers may get a temporary reprieve on some of the more sweeping data privacy requirements that were set to take effect in just a few short months. However, the pending legislation that would provide the delay does not exempt employers from significant disclosure requirements that also comprise the California Consumer Privacy Act (CCPA) – meaning you should still be in the process of preparing for the new law at your workplace.
California Assembly Bill 25, which passed the Legislature in September and is currently awaiting Governor Newsom’s signature (or veto, though he is expected to sign), provides employers about to be covered by the CCPA a one-year extension on the deadline to start tracking, responding to and complying with employee requests for disclosure, copies and deletion of employees’ personal information you collect and maintain. Rather than the originally planned January 1, 2020 deadline, the amendment’s passage pushes the effective date of this portion of the statute to the start of 2021. However, AB 25 does not exempt you from the January 1, 2020 deadline to start disclosing to employees the categories of personal information you collect and the business purposes for which this information is used.
Background
Enacted in June 2018 and amended in September 2018, the CCPA will provide sweeping privacy protections for California residents as of January 1, 2020.
The only “covered businesses” that will be subject to the CCPA are those for-profit businesses that (1) have annual gross revenues over $25 million, (2) annually receive, sell, or share personal information about more than 50,000 or more California residents or households or 50,000 devices, or (3) derive 50 percent or more of their annual revenue from selling personal information of consumers.
While this may appear to only apply to larger businesses, the second category (50,000 consumers or devices per year) is expected to capture many small businesses. For example, a small business that has a website with 137 unique visits per day and collects data about the devices or consumers who are accessing the site is going to meet the threshold.
Employee Data
The CCPA as enacted makes no distinction between employees and consumers. The CCPA defines “personal information” so broadly that it potentially covers all information you collect, maintain or share about job applicants and employees that could identify the individual or be used in conjunction with other information to identify the individual.
This includes, for example, the name of an employee in conjunction with the state or federal protected category they are in (such as age, race, gender, sexual orientation, religion, disability, etc.). It also includes network or internet activity logs on company computers assigned to employees that show user activity, such as search and browser history. The definition of “personal information” also lists the broad category of “professional or employment-related information” without any definition or parameters of what this entails.
Subject to the one-year delay provided in AB 25, the CCPA requires covered employers to track and respond to “consumer requests” from employees. Such requests include a request for a copy of all the employee’s personal information the employer has obtained, compiled or shared in the last 12 months. You would have to respond to these requests within 45 days, which can potentially be extended by another 45 days.
Since the definition of “personal information” is so broad, the CCPA may allow employees and their attorneys to request and obtain from you free of charge a lot more than what the law otherwise permits – a significant amount more than just an employee’s personnel file and payroll records. To say that this permits potentially abusive and burdensome pre-litigation discovery would be an understatement.
The AB 25 Compromise
AB 25 was introduced by the same legislator who authored the CCPA. It initially sought to clarify parts of the CCPA and modify its scope to exempt personal information obtained from or about employees and job applicants in the course of their employment or application for employment. Part of the rationale for this bill is that personal information is already subject to other privacy protections, and employers typically collect and use this information for legitimate employment purposes, such as administering benefits and payroll and complying with state and federal laws.
AB 25 appeared to be swiftly moving through the legislative process and gaining support from privacy advocates and staffing agencies. However, in June and early July, organized labor and their supporters opposed the bill and stated that they were very concerned about “workplace privacy” and exempting employment data from the CCPA. This opposition threatened to derail AB 25.
Fortunately, a compromise was reached, and the bill was amended on July 11, 2019, to provide the following:
- A one-year “sunset date,” meaning the exemption for employment data will expire on January 1, 2021 unless extended.
- The exemption for employment data does not apply to the private right of action under the CCPA for a data breach resulting from the business’s failure to implement reasonable security measures as required by the CCPA. If an employee suffers harm due to a data breach of their “personal information,” the employee can file a lawsuit seeking between $100 and $750 per consumer per data breach incident or actual damages, whichever is greater.
- Most significantly, this compromise will require covered employers to disclose to employees and job applicants the categories of personal information collected and the purposes for which the information will be used. Employers must comply with this disclosure requirement by no later than January 1, 2020.
Next Steps
The good news is that employers have a one-year reprieve before the floodgates of pre-litigation discovery and fishing expeditions by plaintiffs’ attorneys are opened. The bad news is that this issue is far from over, as 2021 is only 15 months away, and there is no guarantee that the legislature will reach a more permanent fix.
Regardless, you should immediately work on preparing the required disclosure to employees and job applicants to implement no later than January 1, 2020. This disclosure can be made in the employee handbook or through a memo to all employees. There technically is no requirement that employees sign an acknowledgment of receipt of the disclosure, but having their signature will be the only sure way to prove that they received it.
As for job applicants, since the CCPA requires that the disclosure be made at or before the transaction in which the personal information is collected, the best approach is to include the disclosure with the job application.
Although the compromise on AB 25 was not ideal, it was necessary to preserve the status quo while the issue continues to be debated in Sacramento.
About the Author
Usama Kahf is a partner with labor and employment law firm Fisher Phillips in Irvine, Calif. He represents employers of all sizes in matters of workplace privacy, data security, unfair competition, and trade secret theft and corporate espionage Usama can be reached online at [email protected] and at the firm website https://www.fisherphillips.com/attorneys-ukahf