Transparency and communication are cornerstones of a successful relationship—and the employment relationship is no exception. The California Consumer Privacy Act (“CCPA”) came into effect on January 1, 2020, bestowing two landmark rights on California employees, applicants, contractors, emergency contacts, and dependents: (1) the right to notice about what personal information an employer collects and the purpose of collection; and (2) the right to sue with statutory damages if sensitive data is compromised.[1]
Since its inception, CCPA has undergone criticism, commentary, and multiple amendments. Notably, AB 25 was signed into law on October 11, 2019 amending CCPA to clarify its application to employee data. On February 10, 2020,[2] the California Office of Attorney General (“AG”) issued Modified Proposed Regulations giving guidance for the first time on notice obligations in the employment context. The deadline to submit written comments is February 25, 2020 at 5:00 p.m. (PST).
As previously reported in Big Bang! California Expands Employee Privacy Rights & Insights from the Office of Attorney General and Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act, the AG has until July 1, 2020 to finalize its regulations which will ultimately be codified in the California Code of Regulations. The AG published its first draft of proposed regulations on October 10, 2019, the day before AB 25 was signed into law. Accordingly, the regulations were silent on employee rights. To solicit public feedback, the AG held a series of hearings in December 2019 located in Sacramento, Los Angeles, San Francisco, and Fresno. In response to public feedback, the AG released Modified Proposed Regulations on February 10, 2020.
Modified Regulations Define New Terms for Employers
On February 10, 2020, the AG released Modified Proposed Regulations to provide additional guidance on CCPA’s application to employee data, among other revisions. First, the regulations create a new term under CCPA: “employment-related information” is the personal information that is collected by a business about employees, applicants, independent contractors, owners/directors/officers of a business, emergency contacts, and dependents. (Code Regs., tit. 11, § 999.301(i).) Importantly, it states that the collection of employment-related information is considered a business purpose under CCPA. It also defines “employment benefits” to mean retirement, health, and other benefit programs, services, or products to which consumers or their beneficiaries receive access through the consumer’s employer. (Code Regs., tit. 11, § 999.301(h).)
Clarifying Employee Notice at Collection
Most notably, the modified regulations reaffirmed that employers are required to provide notice to employees regarding employment-related information, which must include the categories of personal information collected and the purposes for which the information was collected. (Code Regs., tit. 11, § 999.305(e).) The modified regulations further clarified that businesses are not required to provide a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” in the employee notice at collection.
With respect to notice obligations, the regulations indicate employers may provide a link or copy of the business’s privacy policies for job applicants, employees, or contractors in lieu of a link to the business’s privacy policy for consumers. Consumer privacy policies do not adequately address employee disclosures because the categories of data collected about employees is vastly different. Previous AG guidance indicated a link to notice was required at the point of collection, which was difficult for employers that do not always collect employee information electronically. Providing a copy of the disclosure via e-mail or paper is an acceptable method of delivery under the AG regulations. Employers can also include the disclosure on applicant websites and in the onboarding process.
Key Takeaways
The heart of CCPA is transparency and providing notice that is easy to understand. Albert Einstein said “if you can’t explain it simply, you don’t understand it well enough.” In light of the additional guidance from the AG, below are a few key takeaways:
- If you are a covered business, make sure you have provided workforce disclosures for applicants, current/former employees, and independent contractors. These are often different stand-alone documents.
- Consider the methods of delivery for your workforce and how those processes are documented.
- Confirm the disclosures comply with other AG requirements like ADA accessibility.
- Prepare now for CCPA’s full application to your workforce on January 1, 2021.
*Chelsea Staskiewicz is a legal intern in the San Diego office.
FOOTNOTES
[1] In 2002, California passed its first data breach notification law (see Civ. Code § 1798.81.5), requiring businesses to “reasonably secure” personally identifiable information. The CCPA gives this old law new teeth by providing consumers with a private right of action to recover statutory damages ranging from $100-750 per incident, per employee. It is important to note that statutory damages can be recovered if any of the information listed in the breach statute is unencrypted and unredacted, and subject to unauthorized access or disclosure. (Civ. Code § 1798.150(a)(1).)
[2] The California Attorney General initially issued the “Modified Proposed Regulations” on February 7, 2020, and released an “Updated Notice of Modifications” on February 10, 2020 to include a revision that was omitted in the February 7, 2020 version.