On October 11, 2019, California Gov. Gavin Newsom signed AB 25 into law, giving employees, applicants, independent contractors, emergency contacts and dependents new rights to privacy. As explained in our previous post—Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act—the amendment to CCPA is a limited one-year reprieve for employers. Effective January 1, 2020, employers must provide disclosures to employees about the categories of personal information collected and its purpose. One year later, on January 1, 2021, all rights under CCPA will be provided, including the right to request access and the right to be forgotten. Below are a few quick points clarifying what AB 25 means for Human Resources professionals:
What HR Data is Regulated by CCPA? AB 25 clarifies that CCPA gives rights to all individuals that a business collects personal information from, including applicants, current and former employees, contractors, emergency contacts, and dependents/spouses for purposes of administering benefits. (Civ. Code § 1798.145(g)(1).) Accordingly, any personal information the business maintains that can identify these individuals, is subject to CCPA.
What is Personal Information Under CCPA? The definition of “personal information” is very broad under CCPA and includes data elements that have never before been regulated. “Personal information” includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Civil Code 1798.140 (o)(1). Categories likely to be maintained by HR departments include “professional or employment-related information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” “driver’s license numbers,” “passports,” “social security numbers,” “financial information,” “medical information,” and “geolocation data.”
What New Rights Will California Workers Have on January 1, 2020? Although CCPA enumerates many rights, only two will go into effect on January 1, 2020:
1. The Right to Know. California applicants, current and former employees, and contractors will have the right to know before information is collected, the categories of personal information the business collects, and the purposes for collections (the “Right to Know”). On October 10, 2019, the Attorney General released proposed regulations that affect the Right to Know. The regulations are currently in draft form, open to public comment until December 6, 2019. Public forums will be held to solicit feedback. The CCPA Regulations provide the following tips for a CCPA compliant disclosure:
- Make it easy to read and understandable to the average person.
- Use plain, straightforward language and avoid technical or legal jargon.
- Use a format that draws the consumer’s attention to the notice and makes the notice readable.
- Translate into languages typically used when communicating with your workforce.
- Make the notice accessible to consumers with disabilities.
- Make it visible or accessible so workers can see it before any personal information is collected.
- Include a list of the categories of personal information collected on your workforce. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.
- For each category of personal information, a list of the business or commercial purpose(s) for which it will be used.
- If the business sells personal information, provide a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.”
- Provide a link to the business’s privacy policy, or in the case of offline notices, the web address of the business’s privacy policy.
2. The Right to Statutory Damages for Data Breaches. As of January 1, 2020, individuals will have the right to statutory damages in the amount of $100-$750 per data breach if their sensitive data is breached.
What Additional Rights Will California Workers Have on January 1, 2021? CCPA will extend full protection and statutory rights to applicants, current and former employees, contractors, emergency contacts, and dependents/spouses for purposes of administering benefits including:
- The right to request a business disclose what personal information the company has collected;
- The right to know what personal information is being sold or disclosed and to whom;
- The right to request and receive a copy of all of the above information in a readily useable format;
- The right to request that the company delete their personal information (the right to be forgotten);
- The right to opt-out of the sale of their personal information; and,
- The right to be free from retaliation for exercising any rights.
Takeaways & Checklist
Below is a checklist you can use to ensure your business and HR data is compliant with CCPA by January 1, 2020:
□ Verify your company is a covered business and whether it must comply with CCPA.
□ Identify and inventory all data in your department that may be considered “personal information.”
□ Identify and inventory all third parties your business shares “personal information” with including benefits providers, insurance companies, payroll companies, staffing vendors, etc.
□ Make sure all third parties enter into service provider agreements with your business and agree to comply with CCPA.
□ Confirm all sensitive employee data is reasonably secured and there are access controls in place.
□ Update employee privacy policies to include CCPA rights including rights provided to emergency contacts and dependents.
□ Update application forms, disclosures or third party platforms to include CCPA rights including rights provided to emergency contacts and dependents.
For more detailed information about how to comply with the foregoing, see our previous post on Employee Privacy by Design.