September 25, 2021

Volume XI, Number 268

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

September 22, 2021

Subscribe to Latest Legal News and Analysis

CCPA: Employee Personal Information on the Chopping Block

How will the California Consumer Protection Act (CCPA) apply to us? This is a question 0rganizations have asked since the CCPA was first proposed. There remains a number of important questions about the scope of the Golden State’s sweeping privacy law that still need to be answered.

One of those questions is whether the CCPA will reach employee data; that is, are an organization’s employees “consumers” under the law. Earlier this week, the California Assembly Privacy and Consumer Protection Committee started working through a number of bills addressing the CCPA. Included in those bills is AB 25, authored by the Committee Chairman, Ed Chau, which addresses this issue.

The Committee unanimously approved AB 25 which modifies the definition of “consumer” to exclude

a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business. 

If signed into law, this change would be welcomed news for organizations already struggling with other aspects of CCPA compliance. However, organizations still may have CCPA issues to consider with respect to their employees.

Individuals can be employees and consumers of the same organization. In that case, an organization might want to consider, for example, how a dispute over its handling of a request for deletion of consumer personal information belonging to an employee/consumer could spill over into the workplace. Likewise, employers may have engaged certain third party vendors to provide certain products or services to employees. In certain circumstances, employers have a duty to obtain written assurances from those vendors that they will safeguard the employee personal information provided to these vendors. Employers will have to consider whether those assurances should include CCPA compliance, or will a “compliance with all laws” clause be sufficient.

Additionally, with the significant media attention to the CCPA and other privacy developments, such as the European Union’ General Data Protection Regulation (GDPR), employees may get confused about whether their rights under the CCPA as consumers also extend to the workplace. Some organizations may already extend CCPA-like protections to employees, perhaps flowing from global privacy policies driven primarily by GDPR. However, organizations that have not taken that approach need to be prepared to respond to demands from employees concerning their personal information. “The CCPA does not apply” may not be the right answer in light of the fact many states provide certain rights to employees concerning their personnel file and personal information. In California, for example, current and former employees have the right to inspect and receive a copy of the personnel files and records that relate to the employee’s performance or to any grievance concerning the employee. Cal. Labor Code Section 1198.5.

Further, regardless of the ultimate amendments to CCPA, there continues to be a growing trend for states to propose and implement privacy protections related to the data organizations collect.

We will be following the fate of AB 25 and the other pending CCPA bills. If CCPA is amended by AB 25 as currently drafted, it will be a relief for CCPA-covered entities, but it will not entirely eliminate the potential implications CCPA (or other state laws) may have on the workplace.

Jackson Lewis P.C. © 2021National Law Review, Volume IX, Number 115
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Advertisement
Advertisement
Advertisement