2020 has been a transformative year of everlasting uncertainty and constant change: employee privacy is no exception. California laws impacting employee data are changing yet again. This article highlights what employers need to know about (1) recent amendments to the California Consumer Privacy Act, and (2) what happens if the California Privacy Rights Act is approved by voters on November 3, 2020.

AB 1281 Amendments to California Consumer Privacy Act

On August 30, 2020, the California legislature passed AB 1281, an Assembly Bill that amends the California Consumer Privacy Act (“CCPA”) to extend limitations on employee rights for another year until January 1, 2022. Governor Newsom signed AB 1281 into law on September 29.

Here is what businesses need to know about AB 1281 and its amendment to CCPA:

  • CCPA’s limited exception for applicants, current and former employees and independent contractors is extended until January 1, 2022;
  • AB 1281 only takes effect if the California Privacy Rights Act is not approved by voters; and
  • Employees still have a right to notice and a right to sue as further discussed below.

Proposition 24 a.k.a. California Privacy Rights Act

The California Privacy Rights Act (“Prop. 24”) is a ballot initiative that will be voted on by California residents on November 3, 2020. Here is what businesses need to know about Prop. 24:

  • The ballot initiative process gives California citizens a way to propose laws without the support of the governor or the legislature.
  • California voters will approve or deny Prop. 24 on November 3, 2020.
  • Prop. 24 extends CCPA’s limitation on employee rights to January 1, 2023.
  • Creates a new enforcement agency/commission to enforce Prop. 24.
  • Creates a new category of data called “sensitive personal information.”
  • Expands rights to access, correct and delete personal information.
  • Adopts a set of fundamental principles on data management, including limitations on data collection and retention.
  • Prop. 24 permits the legislature to amend the CPRA through a majority vote of both houses, signed by the Governor, so long as “the amendments do not compromise or weaken consumer privacy.”

Brief History of CCPA’s Application to Employees

When CCPA passed in June 2018, there was no reference to employees, and it was uncertain whether employees were “consumers” and entitled to rights under CCPA. Later that year, the assembly introduced AB 25, which initially was drafted to exempt employees from CCPA. By the time AB 25 worked its way through the legislative process, it modified CCPA to expressly include employees and provided limited rights under CCPA until January 1, 2021. (See Employee Privacy by Design: Guidance for Employers Beginning to Comply with the CCPA and Big Bang! California Expands Employee Privacy Rights.) In February 2020, the Attorney General proposed regulations that contemplated employee rights under CCPA. (See The Heart of Employee Right under CCPA: Attorney General Modified Guidance.)

What Employers Must Do in 2020 & 2021 to Comply With CCPA

Currently, CCPA and the Attorney General’s regulations give limited rights to job applicants, current and former employees, independent contractors, owners/directors/officers, medical staff, emergency contacts, and dependents, spouses, or other beneficiaries for benefit administration. (Cal. Civ. Code § 1798.145(h)(1).)

  • The Right to Notice at Collection. California applicants, current and former employees and contractors have the right to receive a notice from employers at or before personal information is collected. The notice must include the categories of personal information the business collects and the purposes for collection. (Cal. Civ. Code § 1798.100.)
  • Data Breaches & Statutory Damages. California residents have the right to institute a civil action and recover statutory damages in the amount of $100-$750 per consumer per incident if their nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices. (Cal. Civ. Code § 1798.150.)

AB 25 provides employees, applicants and contractors full rights under CCPA effective January 1, 2021, including the right to request access or deletion of their personal information. Under AB 1281, if CPRA does not pass, then employers will have until January 1, 2022 before workers will have full rights under CCPA. In the meantime, workers still have the right to notice and right to sue under CCPA.

What Rights Employees Will Have in 2023 if CPRA Passes

Unless there are additional revisions before 2023, CPRA will expand employee rights to include the right to access, correct, delete, and limit certain types of processing of their personal information. Below is a chart that highlights the differences between the 2020 notice at collection and the 2023 notice at collection if CPRA passes:

Notice at Collection

2020 Requirements 2023 Requirements
  1. Categories of personal information collected; and
  2. Purpose(s) for which each category of personal information is used.
  1. Categories of personal information collected;
  2. Categories of sensitive personal information collected;
  3. Purpose(s) for which each category is used;
  4. Whether such information is sold or shared; and
  5. The time the business intends to retain each category, or the criteria used to determine such period.

Anticipating & Adapting to Change

Wisdom shared by Charles Darwin in On the Origin of Species provides insight to California employers: it is not the strongest of the species that survives, nor the most intelligent, rather it is the one that is most adaptable to change. In the wake of constantly changing laws, here is actionable guidance to take now in anticipation of inevitable change to California law:

  • Know Your Data. Identify and inventory all data collected about applicants, current and former employees, contractors, emergency contacts, and dependents/spouses for purposes of administering benefits. Classify what data may be considered personal information (see Civ. Code § 1798.140(o)) or sensitive personal information (id. at § 1798.82) that, if breached, could give rise to notice obligations.
  • Secure Sensitive Data. Confirm all sensitive employee data is reasonably secured and there are appropriate controls in place to prevent unauthorized access, destruction, use, modification, or disclosure.
  • Mindfully Manage Vendors. Identify and inventory all vendors, benefits administrators, staffing agencies, or other providers who support HR operations. Make sure contracts with these vendors, at minimum:
    • Restrict vendors from retaining, using or disclosing personal information for any purposes other than performing the services for which they are engaged;
    • Require vendors to implement and maintain commercially reasonable security measures relative to the nature of the information disclosed; and
    • Provide for indemnification and a fair limitation on liability to cover violations or breaches.
  • Provide CCPA Notices. Develop and implement Notices at Collection as required by CCPA, including by updating employee privacy policies, application forms, and disclosures on third-party platforms to describe what personal information is collected and the purposes for which it will be used.
  • Prepare, Implement & Enforce Data Retention Policies & Schedules. Although CPRA requirements related to data retention policies are far off, many laws in effect now mandate retention for a set period of time. For example, Labor Code section 226 mandates retaining payroll records for three years. Developing a good retention schedule helps businesses manage risk by destroying data that is no longer of value and not required by law.

*Garrett Stallins is an intern with Sheppard Mullin.