[glossary_exclude]On September 13, 2019, the California Senate and Assembly unanimously passed an amendment to the California Consumer Privacy Act (“CCPA”) that places onerous obligations on employers and entitles employees to statutory damages for data breaches. As of the date this article was written, AB 25 awaits Governor Newsom’s signature. Regardless of whether AB 25 is signed into law, CCPA applies to employee data and employers have until January 1, 2020 to comply. This article explores how the California Consumer Privacy Act impacts existing employee privacy rights and how employers can begin to develop a holistic privacy compliance program.
What Businesses Are Covered by the California Consumer Privacy Act?
The CCPA covers for-profit “businesses” that do business in California and meet any one of the following thresholds:
Gross annual revenue exceeds $25 million; or
Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices; or
Derives 50% or more of its annual revenue from selling personal information.
Businesses do not have to be located in California for CCPA to apply. CCPA applies if one of the foregoing thresholds is met, the Company does business in California and the business has “consumer” data covered by the Act. Under CCPA, “consumers” is broadly defined as any “natural person who is a California resident.” (Civ. Code § 1798.140(g).)
Are Employees “Consumers” Under CCPA?
Since CCPA’s passage in June 2018, there has been fierce debate about whether “consumers” include employees. AB 25 has laid that debate to rest and made clear that “a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” would immediately receive some rights under the CCPA. (Civ. Code § 1798.145(g)(1)(A).) AB 25 will also extend rights beyond employees to include individuals identified by employee as emergency contacts and also employees’ dependents whose information was provided to administer benefits. In 2021, such individuals would be afforded full rights under the CCPA. (Id. at § 1798.145(g)(4).) If AB 25 is vetoed, then these individuals will receive all rights under CCPA on January 1, 2020. For simplicity, when we refer to “employee data” throughout this article, we intend to include applicants, current/former employees, independent contractors, and owners/directors/officers/dependents, and emergency contacts.
Understanding Employee, Dependents and Emergency Contacts Privacy Rights – The Beginning of the End
In the Golden State, employees have long enjoyed greater rights to privacy and statutory rights to inspect employment records. Like all Californians, an employee’s right to privacy begins with the California Constitution and is bolstered with various laws.
Employment records are deemed confidential and protected from disclosure absent a subpoena and consumer notice. Civ. Code Proc. § 1985.6(e). Employees also have a statutory right to inspect the following employment records: payroll records (Lab. Code § 226); documents signed during employment (Lab. Code § 432); records related to performance or a grievance (Lab. Code § 1198.5); and OSHA records for employee exposures to potentially toxic materials (Lab. Code § 6408(d).). Failure to comply with these inspection rights gives rise to statutory damages. For example, Labor Code 226 requires employers to allow inspection of payroll records within 21 days after a request is made, or else the employee is entitled to $750 in statutory damages. Until now, an employee’s right to inspect employment records was limited to the foregoing categories.
CCPA dramatically expands employee rights in three significant ways: (1) it requires mandatory privacy notices and disclosures about the data collected by employers and purpose for collection; (2) it provides for statutory damages ranging from $100-750 if sensitive personal information is breached; and (3) it expands the right to request access/deletion of personal information.
Mandatory Employee Privacy Notices Beginning January 1, 2020
Employee privacy disclosures and appropriate use policies are nothing new. Such policies are typically used to inform employees of workplace monitoring and diminish expectations of privacy. California courts reinforce the importance of employers maintaining and widely publicizing an employee privacy notice with respect to the use of technology in the workplace. Courts have consistently upheld an employer’s right to monitor its employees’ computer use and override other privacy/confidentiality interests so long as there is a clear policy that employees have no expectation of privacy to data transmitted on company systems.
AB 25 will expand the scope and content of such employee privacy policies. As of January 1, 2020, employee privacy notices must also disclose:
The categories or personal information the company has collected; and,
The purposes for which the categories of personal information will be used.
“Personal information” is omnipotently broad under CCPA and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Civil Code 1798.140 (o)(1). The definition goes on to identify 11 categories and data elements like “professional or employment-related information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” and “geolocation data,” to name a few. Simply put, employers must disclose all categories of personal information it collects, its purpose, and how the information will be used.
Enforcement. For now, there is no private right of action for failure to comply with these rights. Instead, the Attorney General has sole and exclusive jurisdiction to enforce these violations.
Statutory Damages ($100-750 per Consumer) for Data Breaches Beginning January 1, 2020
In 2002, California passed the first data breach notification law in the world (see Civ. Code § 1798.81.5) and required businesses to “reasonably secure” personally identifiable information. That law has evolved through the years, and today requires businesses to notify consumers (including employees) in the event any of the following sensitive personal information is accessed by an unauthorized user:
An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
Social security number;
Driver’s license number or California identification card number;
Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
Medical information; or
Health insurance information.
A username or email address in combination with a password or security question and answer that would permit access to an online account.
Enforcement. CCPA gave the old law a new (and expensive) attitude by providing consumers with a private right of action to recover statutory damages ranging from $100-750 per incident, per employee, if any of the information listed in the breach statute is subject to unauthorized access or disclosure. (Civ. Code § 1798.150(a)(1).) Similar to PAGA, CCPA allows consumers to bring a cause of action on behalf of others similarly situated which will make these claims ripe for class action litigation.
Employee Rights to Access & Request Deletion of Data Beginning January 1, 2021
In addition to the disclosures above, AB 25 amends the CCPA to extend full protection and statutory rights to applicants, employees, and independent contractors, including:
The right to request a business disclose what personal information the company has collected;
The right to know what personal information is being sold or disclosed and to whom;
The right to request and receive a copy of all of the above information in a readily useable format;
The right to request that the company delete their personal information (the right to be forgotten);
The right to opt out of the sale of their personal information; and,
The right to be free from retaliation for exercising any rights.
The obligation to comply with a deletion request is subject to numerous exceptions, including the right to keep data that must be maintained for other legal purposes or is consistent with the internal purpose for which it was collected. The majority of employee or applicant data will likely fall into one of these two exceptions.
Enforcement. For now, there is no private right of action for failure to comply with these rights. Instead, the Attorney General has sole and exclusive jurisdiction to investigate these violations.
Beginner’s Mind: What Can Employers Do to Prepare for CCPA?
Every day we get a chance to begin again. Below is actionable guidance to kickstart your employee privacy by design program or update existing privacy programs:
Data Mapping. Maya Angelou once said “if we know better, we do better.” If we know what data our organization maintains, we can do a better job meeting our legal obligations under CCPA. Document a comprehensive inventory of employee data. Knowing what employee data your organization collects is critical for two reasons: (1) disclosure obligations and (2) security obligations. A business cannot secure data if it does not know where it lives. Human Resources questionnaires or live interviews can help solicit feedback from key stakeholders to identify personal information collected for payroll, benefits, HR, tax, IT and other employment purposes. Once you know how employee data flows in and out of organization, prepare a visual diagram to help navigate other tasks.
“Reasonably Secure” Sensitive Employee Data. Reasonable security for sensitive data is not a new requirement, but the risk imposed by CCPA puts security at the top of our list for immediate action. After data mapping is complete, classify as “sensitive” any data that includes protected elements like Social Security Number, Driver’s License Number, financial information, health/insurance information, or username/password. As previously reported, the California Attorney General opined in a 2016 Data Breach Report that “reasonable security” of sensitive data includes encryption, multi-factor authentication and compliance with Center for Internet Security’s Critical Security Controls. Consult with a qualified cyber security consultant to conduct a “reasonable security” assessment for employee data.
Vendor Management. CCPA has flow-down provisions that require you to understand how third parties use, share and secure that data. Identify third parties and vendors that receive your employee or applicant data (e.g., payroll companies, health/benefits/wellness providers, HR consultants, staffing agencies, etc.). Once identified, conduct vendor inquiries and diligence about how they use, share and secure the data. CCPA requires specific language be included in third party agreements to qualify as a service provider (which offers some safe harbors for CCPA violations). To the extent third parties receive sensitive data like Social Security Numbers, Driver’s License numbers, financial information, health information, etc. make sure they have implemented strong security to protect the data. For example, a new threat is targeting a known vulnerability that is commonly used to support Human Resources, applicant and recruiting software and applications. Confirm with your vendors they have mitigated the risk of the XML External Entity Processing vulnerability. Applicant data contains a treasure trove of sensitive data and notice is required if that data is breached—even if the breach occurs on your vendor’s website and not your own systems.
Data Minimization Principles. All good privacy by design programs reduce the amount of data collected to the minimum amount required to achieve its objective. Consider updating and enforcing your document retention policies to reduce the amount of data maintained. In the employment context, make sure former employee files are routinely destroyed pursuant to the retention schedules. Also, analyze whether the benefits of collecting data outweigh the risk. If so, limit the amount of data collected and maintained.
Update Employee Privacy Policies. Dust off existing employee privacy policies and include disclosures about categories/types of information collected and the purpose for its collection. Whether in employee handbooks, stand-alone disclosures, onboarding documents, or online privacy policies, business should update their disclosures to ensure they provide all the necessary information required by CCPA and other relevant privacy laws.
Applicant Privacy Disclosures. Similar to employees, applicants also must receive disclosures about data collected and its purpose for collection. Consider including disclosures on application forms or landing pages for online applications. Confirm any third party hosted application or recruiting platforms are CCPA compliant and have signed a CCPA Privacy & Security Addendum to qualify as a “service provider.” You can also include CCPA disclosures on a separate stand-alone form. Do not include CCPA with FCRA/ICRA disclosures.
Independent Contractor Disclosures. AB 5 codifies Dynamex Oct 4, and makes classification of independent contractors difficult in California. Given the anticipated wave of litigation expected, make sure to update any independent contractor agreements to confirm they are CCPA compliant and make adequate disclosures about data collection.
The Beginning is Always Today
All good stories have a beginning, middle and end. Employee privacy is no exception. We find ourselves at the beginning of a movement that will continue expanding employee rights. If AB 25 is signed, this will only provide a temporary reprieve for employers under the CCPA. However, by January 1, 2021, all applicants, employees, and independent contractors will have full rights under the CCPA, which include the rights to request and delete information.[/glossary_exclude]
Justine M. Phillips, Esq. is a Partner in Sheppard Mullin’s San Diego Office in both Cybersecurity and Labor & Employment Practice Groups. Justine takes a practical and mindful approach to assist her clients in every aspect of cybersecurity from data identification through destruction, complex litigation, and privacy/security by design. She can be reached at [email protected].