If your company has operations in California, you need to be aware of what the CCPA says about employee data, and the compliance obligations that you should be addressing now!
The CCPA was enacted in early 2018, and although the Act does not come into effect until early 2020, there is still a lot of confusion regarding its requirements, including how it works alongside other privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).
U.S. businesses who have already gone through the arduous task of achieving compliance with the GDPR may be familiar with most of the CCPA’s requirements regarding California based employees. However, companies who are not obligated to comply with GDPR rules will likely need to consider whether their existing employee data management policies and practices should be updated.
How does the CCPA apply to employee data?
Unlike the GDPR, the CCPA uses the term “Consumer” in its full title, which causes many HR departments to believe that the Act doesn’t apply directly to employees based in California.
The data privacy laws in the U.S. use different terms to describe the individuals about whose information the laws apply. These include terms such as “covered person,” “individual,” and “customer”. The term used in a particular statute is less important than its definition. For example, two statutes may use the term “individual,” but it could be defined as referring to all natural persons, whereas another may define it as only referring to natural persons who reside within the state. In another example, one statute may use the term “covered person” while another uses the term “individual” and yet they define the terms identically.
Within the CCPA, the term “consumer” is used to describe the individual whose personal information is governed by the statute. However, it is fair to say that the term “consumer” is widely understood to mean a person, or organization, that uses (consumes) a commodity or service. The CCPA definition is much broader.
In CCPA terms, a “consumer” includes any “natural person who is a California resident”. Therefore, the statute regulates the collection and processing of data not only of individuals, such as retail customers, but also California-based employees as well as prospective employees, or applicants, as well as employees of independent contractors and agencies that provide staffing support and for whom the company is collecting personal information.
The bottom line is that businesses with employees in California and are subject to the CCPA will be required to provide employees with a specific employee-based privacy policy – OR they will be required to revise their existing privacy policy, to comply with the CCPA.
Relevant provisions in a nutshell
The CCPA covers all “residents” of California. Employers must therefore be prepared to provide protections to any employee who resides in California.
Since the CCPA pertains to employee information, employers may be required to inform employees about what data will be collected – and the purposes for which the data will be used, either before, or at the time of collecting the information. Unlike the GDPR, the CPPA does not require “consumers” (employees) to give their consent before data can be collected.
A “covered employee” who works in California may submit a Consumer Request to access
-
all Personal Information collected by their employer;
-
the categories of sources from which the personal information was collected;
-
the business purpose for collecting or selling information; and
-
the categories of any third parties with whom the information is shared.
The statutory right of data access only extends to the 12-month period preceding the request date. Furthermore, the employer is not required to provide information that could adversely affect co-workers.
The provision also excludes information that has been sold to, or received from, a consumer reporting agency in cases where the data is used in accordance with the procedures of the federal Fair Credit Reporting Act (FCRA).
Employees may have a limited private right of action for data breaches, to recover actual damages or statutory damages up to $750, whichever is the greater, per individual per incident.
Companies that share consumers’ Personal Information with service providers are not liable for any misconduct on the part of the service provider if, at the time of disclosure, the company did not have actual knowledge, or reason to believe, that the service provider intended to violate the Act.
And finally…
According to the International Association of Privacy Professionals (IAPP), more than half a million businesses could be affected by the CCPA. Irrespective of whether the California AG amends the Act to exclude employee data, the California Consumer Protection Act requires all businesses to take a good long look at their practices and procedures regarding employee personal data.
Sources and credits: California Attorney General Office, BCLPlaw
Notice: This article is intended as general information only and does not constitute legal advice. Please consult with a professional data privacy practitioner.