CCPA: Employee Personal Information on the Chopping Block
How will the California Consumer Protection Act (CCPA) apply to us? This is a question 0rganizations have asked since the CCPA was first proposed. There remains a number of important questions about the scope of the Golden State’s sweeping privacy law that still need to be answered.
One of those questions is whether the CCPA will reach employee data; that is, are an organization’s employees “consumers” under the law. Earlier this week, the California Assembly Privacy and Consumer Protection Committee started working through a number of bills addressing the CCPA. Included in those bills is AB 25, authored by the Committee Chairman, Ed Chau, which addresses this issue.
The Committee unanimously approved AB 25 which modifies the definition of “consumer” to exclude
a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.
If signed into law, this change would be welcomed news for organizations already struggling with other aspects of CCPA compliance. However, organizations still may have CCPA issues to consider with respect to their employees.
Individuals can be employees and consumers of the same organization. In that case, an organization might want to consider, for example, how a dispute over its handling of a request for deletion of consumer personal information belonging to an employee/consumer could spill over into the workplace. Likewise, employers may have engaged certain third party vendors to provide certain products or services to employees. In certain circumstances, employers have a duty to obtain written assurances from those vendors that they will safeguard the employee personal information provided to these vendors. Employers will have to consider whether those assurances should include CCPA compliance, or will a “compliance with all laws” clause be sufficient.
Additionally, with the significant media attention to the CCPA and other privacy developments, such as the European Union’ General Data Protection Regulation (GDPR), employees may get confused about whether their rights under the CCPA as consumers also extend to the workplace. Some organizations may already extend CCPA-like protections to employees, perhaps flowing from global privacy policies driven primarily by GDPR. However, organizations that have not taken that approach need to be prepared to respond to demands from employees concerning their personal information. “The CCPA does not apply” may not be the right answer in light of the fact many states provide certain rights to employees concerning their personnel file and personal information. In California, for example, current and former employees have the right to inspect and receive a copy of the personnel files and records that relate to the employee’s performance or to any grievance concerning the employee. Cal. Labor Code Section 1198.5.
Further, regardless of the ultimate amendments to CCPA, there continues to be a growing trend for states to propose and implement privacy protections related to the data organizations collect.
We will be following the fate of AB 25 and the other pending CCPA bills. If CCPA is amended by AB 25 as currently drafted, it will be a relief for CCPA-covered entities, but it will not entirely eliminate the potential implications CCPA (or other state laws) may have on the workplace.