Employers and the CCPA

Unless a California employer has been hiding under a rock, chances are that the company is aware of the impending California Consumer Privacy Act (CCPA).

Signed into law in June 2018 as a quickly-enacted compromise to prevent an even stricter initiative from appearing on the ballot, the CCPA is the most far-reaching consumer privacy and data protection measure in the United States.

The new law applies to any for-profit company doing business in the state that (1) collects consumers’ personal information (PI) solely or jointly with others and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.

“Personal information” includes an IP address, Internet activity, geolocation, education information and biometrics, among other data. A “consumer” is defined as “a natural person who is a California resident,” easily encompassing both employees and job applicants.

Covered entities are required to provide consumers with access to the data collected about them as well as the ability to opt out of the sale of their information to third parties and request that their PI be deleted. Businesses must disclose and deliver the information to consumers free of charge within 45 days of receiving a verifiable request.

Violations of the CCPA are actionable by the California Attorney General’s Office and a limited private right of action also exists for data breaches, with civil penalties of up to $7,500 per violation.

The expansive definitions and broad reach of the law have many employers concerned about the application of the CCPA to their business when the statute takes effect on January 1, 2020.

But – for those employers that do fall under the statute’s coverage – a last-minute amendment to the CCPA will provide a one-year reprieve.

In an effort to alleviate the burden on employers, state lawmakers enacted Assembly Bill 25 in September. The measure amended the CCPA to provide a one-year exemption for the personal information “collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.”

This tweak grants employers 12 months of breathing room as long as they are collecting the data of employees and job applicants solely for purposes relating to employment. Governor Gavin Newsom signed the bill into law on October 11, 2019.

Despite the reprieve, covered employers would be well-served to continue preparing themselves to comply with the law. The requirements of the CCPA will still apply with regard to PI about non-employees and/or non-exempt uses of employee and applicant data. And the statute will take full effect for employee and applicant data as of January 1, 2021, absent some future change to the law if lawmakers decide to extend the exemption or make it permanent.