August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

California Assembly’s Privacy Committee Advances CCPA Employee Carve-Out

On March 25, 2019, California Assembly Member Ed Chau introduced Assembly Bill 25 (AB 25) to amend the definition of “consumer” under the California Consumer Privacy Act of 2018 (CCPA) set to take effect on January 1, 2020. This amendment would expressly exclude employees, contractors and agents from the definition of “consumer” under the CCPA. On Tuesday, April 23, AB 25 cleared a large hurdle when the Assembly’s Committee on Privacy and Consumer Protection voted unanimously to advance it along with seven other industry-backed bills in a bid to clarify key parts of the CCPA. 

If passed, AB-25 would amend Cal. Civ. Code 1798.140(g)(2) to carve-out from the definition of a “consumer”: “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.” Chau states the intended effect of AB 25 more simply: “where the person’s ‘employee hat’ is on, the CCPA rights do not apply. Where the same person’s ‘employee hat’ is off, the CCPA applies.” In addition, Chau indicated that AB 25 also exempts data collected and used solely in the context of a business-to-business relationship (think: employee data collected by a customer and transferred to business performing outsourced job functions).  

Many California employers have expressed concern regarding the employer-employee relationship under the CCPA. Subject to certain exceptions, the CCPA as currently drafted will allow employees to request their employer provide portable access to their personal information, delete certain personal information from their records, and disclose information about the employer’s personal information collection and sharing practices. Assembly Member Chau states these rights could have unintended consequences. For example, an employee accused of sexual harassment could request that complaints about them be expunged from company files under the § 1798.105 right to delete. Another issue: highly sensitive information, like social security numbers, could fall into the wrong hands when a request is made for “specific pieces of information” the business has collected about a consumer as part of the consumer’s employment role pursuant to the § 1798.110 right to know.  Employers often maintain more categories of sensitive personal information on their employees than their customers, raising the risk of fraudulent disclosure.

Companies are closely watching AB 25 for another reason: if passed, it would bar employees from bringing a private right of action under the CCPA against a covered business that suffered a data breach arising from a failure to take reasonable security measures. AB 25 would therefore provide some relief for employers from additional private litigation stemming from the myriad consequences of a data breach. But such weakening of consumer private rights appears at odds with recently introduced Senate Bill 561, backed by California Attorney General Xavier Becerra, which is designed to expand the right of Californians to bring private legal actions under the CCPA. These two bills tee up the potential for a “grand bargain” that enhances consumer private rights one the one hand, while excluding employees from exercising those rights against their employers on the other. Such a balance may find purchase with both privacy advocates and industry groups alike.

All of eight of the bills passed by the Committee still need to clear the entire state Assembly before moving to the Senate. It seems likely that AB 25, at least, will eventually pass both houses and become law, given the strong interest in maintaining the current employer-employee relationship status quo. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume IX, Number 119


About this Author

Bryan Reece Clark Kansa City Attorney at  Polsinelli law firms Privacy and Data Security Law Practice

On November 6, 2017, Reece Clark joined Polsinelli’s Privacy and Data Security practice. He has worked in industries ranging from healthcare to banking, and telecommunications to retail. His areas of focus include cyber-security, technology, and venture capital casework. Mr. Clark served as Executive Editor of Iowa Law Review while attending Iowa College of Law, he also received his M.B.A., cum laude, Rockhurst University, 2013, Management, and B.A., cum laude, Rockhurst University, 2011, Economics, Political Science.

Areas of Focus

  • Privacy...

Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement regulatory changes arising out of the General Data Protection Regulation (GDPR).  In her advertising practice, Liz advises clients within the cable television and entertainment industries on transactional and operational matters, with a particular focus on media sales and ad tech.  Liz also regularly advises clients with respect to all aspects of licensing and technology matters, including the drafting and negotiation of agreements related to software and hardware development, licensing and support.