December 5, 2021

Volume XI, Number 339

Advertisement
Advertisement

December 03, 2021

Subscribe to Latest Legal News and Analysis

December 02, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Employers: Stop, Drop, and Ensure CCPA Compliance as to Employees Residing in California

Despite being in effect since Jan. 1, 2020, the California Consumer Privacy Act (CCPA) continues to generate confusion for employers of California residents. Much attention has been given to the CCPA’s effect on a business’ obligations in collecting, using, and sharing California customers’ data. However, given the CCPA’s broad “consumer” definition includes “employees,” it also imposes duties on any in-scope business that manages California employees’ data. Notably, under the CCPA, “employees” include job applicants. The CCPA thus applies to both California customers and employees/job applicants of any “business,” which is defined as a for-profit organization doing business in California that controls how personal information is processed and: (i) has gross annual revenue exceeding $25 million; (ii) buys, receives, sells, or shares personal information of 50,000 or more California consumers, households, or devices; or (iii) derives 50% or more of its annual revenue from selling personal information of California residents. Civ. Code § 1798.140(c)(1). Importantly, for the CCPA to apply, businesses do not have to be physically in California. Thus, for example, a business that does not have any facilities in California, but employs remote workers in California, could be subject to the CCPA if it meets the CCPA’s “business” definition.

The passage in October 2019 of California AB 25, which delays the deadline for compliance with certain CCPA requirements with respect to California employees (and job applicants) until Jan. 1, 2021, adds to the confusion surrounding the CCPA’s current impact on California employers. Though this has caused many to put CCPA employee data compliance on the backburner, the limited delay does not apply to several of the CCPA’s requirements, and businesses should take action now with respect to several issues.

First, either at or before the time data is collected, a business must inform a California employee/job applicant of the categories and specific pieces of “personal information” it is collecting, and disclose the purpose for which the “personal information” will be used (i.e., provide a Privacy Notice, which must be updated on an annual basis). This begs the question of what constitutes “personal information” under the CCPA. Though the CCPA provides a laundry list of categories that constitute “personal information” (which employers should carefully review [see Civ. Code § 1798.140(o)(1)]), much of the “personal information” subject to the CCPA is collected by a business upon employee onboarding. For example, personal information “identifiers” include names, addresses, email addresses, and social security numbers.

Importantly, if a business’ employee is also a consumer of the business, all “personal information” collected in the consumer context remains covered by the CCPA. Similarly, using an employee’s “personal information” for any non-employment-related purpose will all but certainly violate the CCPA.

Second, a California employee whose personal information is accessed or disclosed without the employee’s authorization, or worse yet, stolen, because the business failed to implement and maintain reasonable security procedures/practices, could potentially bring a civil action against the business. If successful, the employee may recover statutory damages ranging from $100-$750 per incident, or the actual damages incurred, whichever amount is greater. Civ. Code § 1798.150(a)(1).

The risk of liability for the unintentional disclosure of employee personal data is substantial, particularly given the rise in mass data breaches, which could in turn expose a business to a costly class action. Given this risk, a business with California employees should be vigilant in ensuring it has adequate security measures in place to protect against the unauthorized dissemination of employees’ personal information.

While employee privacy rights are nothing new in California, the CCPA expands these rights, and in turn imposes significant burdens on “businesses” that employ California residents. Further, unless the CCPA is amended, in 2021 California employees will be afforded full protection and treated like consumers under the CCPA, including the right to request that employers delete their personal information.

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 71
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Ashley M. Farrell Pickett Labor & Employment Lawyer Greenberg Traurig Law Firm
Shareholder

Ashley M. Farrell Pickett focuses her practice in the areas of labor and employment and general business law. She has deep experience in both state and federal courts, ranging from individual claims to nationwide class actions.

In her employment practice, Ashley represents employers with respect to a wide range of employment discrimination and retaliation claims, sexual harassment, leaves of absence, employee accommodations, personnel policies, wage and hour compliance, and employment agreements, along with other labor and employment issues. Ashley is also skilled in advising...

310-586-7708
 Alexa Hankard Associate Sacramento Labor & Employment
Associate

Alexa Hankard manages cases on behalf of employers and business owners, conducting settlement negotiations and representing clients at mediations. She handles matters regarding breach of contract, and wage and hour actions, as well as claims of wrongful termination, unfair competition, discrimination, harassment, and retaliation. Alexa reviews employment policies, procedures, and agreements, including non-disclosure agreements. She also participates in pro bono matters on trade name infringement actions.

415-655-1290
Advertisement
Advertisement
Advertisement