August 15, 2020

Volume X, Number 228

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

Big Bang! California Expands Employee Privacy Rights & Insights from the Office of Attorney General

On October 12, 2019, California Gov. Gavin Newsom signed AB 25 into law, giving employees, applicants, independent contractors, emergency contacts and dependents new rights to privacy. As explained in our previous post—Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act—the amendment to CCPA is a limited one-year reprieve for employers. Effective January 1, 2020, employers must provide disclosures to employees about the categories of personal information collected and its purpose. One year later, on January 1, 2021, all rights under CCPA will be provided, including the right to request access and the right to be forgotten. Below are a few quick points clarifying what AB 25 means for Human Resources professionals:

What HR Data is Regulated by CCPA? 

AB 25 clarifies that CCPA gives rights to all individuals that a business collects personal information from, including applicants, current and former employees, contractors, emergency contacts, and dependents/spouses for purposes of administering benefits. (Civ. Code § 1798.145(g)(1).) Accordingly, any personal information the business maintains that can identify these individuals, is subject to CCPA.  

What is Personal Information Under CCPA? 

The definition of “personal information” is very broad under CCPA and includes data elements that have never before been regulated. “Personal information” includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Civil Code 1798.140 (o)(1). Categories likely to be maintained by HR departments include “professional or employment-related information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” “driver’s license numbers,” “passports,” “social security numbers,” “financial information,” “medical information,” and “geolocation data.”

What New Rights Will California Workers Have on January 1, 2020? 

Although CCPA enumerates many rights, only two will go into effect on January 1, 2020:

1. The Right to Know. California applicants, current and former employees, and contractors will have the right to know before information is collected, the categories of personal information the business collects, and the purposes for which the categories of personal information will be used (the “Right to Know”). On October 10, 2019, the Attorney General released proposed regulations that affect the Right to Know. The regulations are currently in draft form, open to public comment for the next two months. Public forums will be held to solicit feedback. The CCPA Regulations provide the following tips for a CCPA compliant disclosure:

  • Make it easy to read and understandable to the average person.

  • Use plain, straightforward language and avoid technical or legal jargon.

  • Use a format that draws the consumer’s attention to the notice and makes the notice readable.

  • Translate into languages typically used when communicating with your workforce.

  • Make the notice accessible to consumers with disabilities.

  • Make it visible or accessible so workers can see it before any personal information is collected.

  • Include a list of the categories of personal information collected on your workforce. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.

  • For each category of personal information, a list of the business or commercial purpose(s) for which it will be used.

  • If the business sells personal information, provide a link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info.”

  • Provide a link to the business’s privacy policy, or in the case of offline notices, the web address of the business’s privacy policy.

2. The Right to Statutory Damages for Data Breaches. As of January 1, 2020, individuals will have the right to statutory damages in the amount of $100-$750 per data breach if their sensitive data is breached.

What Additional Rights Will California Workers Have on January 1, 2021? 

CCPA will extend full protection and statutory rights to applicants, current and former employees, contractors, emergency contacts, and dependents/spouses for purposes of administering benefits including:

  • The right to request a business disclose what personal information the company has collected;

  • The right to know what personal information is being sold or disclosed and to whom;

  • The right to request and receive a copy of all of the above information in a readily useable format;

  • The right to request that the company delete their personal information (the right to be forgotten);

  • The right to opt-out of the sale of their personal information; and,

  • The right to be free from retaliation for exercising any rights.

Takeaways & Checklist

Below is a checklist you can use to ensure your business and HR data is compliant with CCPA by January 1, 2020:

□ Verify your company is a covered business and whether it must comply with CCPA.

□ Identify and inventory all data in your department that may be considered “personal information.”

□ Identify and inventory all third parties your business shares “personal information” with including benefits providers, insurance companies, payroll companies, staffing vendors, etc.

□ Make sure all third parties enter into service provider agreements with your business and agree to comply with CCPA.

□Confirm all sensitive employee data is reasonably secured and there are access controls in place.

□ Update employee privacy policies to include CCPA rights including rights provided to emergency contacts and dependents.

□ Update application forms, disclosures or third party platforms to include CCPA rights including rights provided to emergency contacts and dependents.

For more detailed information about how to comply with the foregoing, see our previous post on Employee Privacy by Design.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 287


About this Author

Justine M. Phillips Labor & Employment Attorney Shepard Mullin Law Firm San Diego
Special Counsel

Justine Phillips is a special counsel in both Data Privacy & Security and Labor and Employment Practice Groups in the firm's San Diego (Del Mar) office.

Areas of Practice

Justine focuses her practice on cybersecurity, data privacy, employment litigation and counseling, and commercial litigation. Justine takes a holistic approach to assist clients on everyday issues related to electronically stored information including: cyber risk management and mitigation; eWorkforce policies; compliance with data regulations; retention/destruction...

Jessica R. Gross Privacy and Cybersecurity California Consumer Privacy Act of 2018 Labor and Employment

Jessica R. Gross is an attorney in both the Privacy and Cybersecurity and Labor and Employment Practice Groups in the firm's San Diego office.

Areas of Practice

Jessica is a rising professional practicing data security and privacy. She is a Corporate Member of the International Association of Privacy Professionals—the largest and most comprehensive global information privacy community—and is a Certified Information Privacy Professional on European Data Laws and the General Data Privacy Regulation (GDPR). Jessica assists all aspects of her clients’ cybersecurity needs. From sound information governance policies and regulatory compliance to incident response, Jessica helps businesses and individuals understand their obligations and address some of the biggest challenges of today’s digital world. With the expansion of laws on data privacy and cybersecurity, like California’s new Consumer Privacy Act of 2018, Jessica helps her clients stay on top of cutting-edge developments and mitigate risk. Her work also includes crafting pragmatic privacy policy and terms of use provisions for websites and apps in light of these everchanging state, national, and international laws.

Jessica assists the Labor and Employment Group with a range of issues related to employee privacy, including background checks, device and social media use policies, and other employment agreements such as proprietary innovation and information agreements. Given Jessica’s technical background, she is also able to assist in trade-theft secret investigations and matters.

Jessica also supports the firm’s eDiscovery needs and other general litigation matters. Managing complex electronic discovery issues can be daunting. Jessica can assist litigation counsel and trial teams with the collection, production, and presentation of electronically stored information. As a former judicial law clerk for a federal magistrate judge, Jessica is well-trained to effectively and efficiently manage discovery obligations and to resolve discovery

Daniel Masakayan Employment Lawyer Sheppard Mullin

Daniel Masakayan is an associate in the Labor and Employment Practice Group in the firm's Washington, D.C. office.