October 24, 2020

Volume X, Number 298


October 23, 2020

Subscribe to Latest Legal News and Analysis

October 22, 2020

Subscribe to Latest Legal News and Analysis

October 21, 2020

Subscribe to Latest Legal News and Analysis

The Only Constant Is Change: How Evolving Privacy Laws Impact Employers

2020 has been a transformative year of everlasting uncertainty and constant change: employee privacy is no exception. California laws impacting employee data are changing yet again. This article highlights what employers need to know about (1) recent amendments to the California Consumer Privacy Act, and (2) what happens if the California Privacy Rights Act is approved by voters on November 3, 2020.

AB 1281 Amendments to California Consumer Privacy Act

On August 30, 2020, the California legislature passed AB 1281, an Assembly Bill that amends the California Consumer Privacy Act (“CCPA”) to extend limitations on employee rights for another year until January 1, 2022. Governor Newsom signed AB 1281 into law on September 29.

Here is what businesses need to know about AB 1281 and its amendment to CCPA:

  • CCPA’s limited exception for applicants, current and former employees and independent contractors is extended until January 1, 2022;

  • AB 1281 only takes effect if the California Privacy Rights Act is not approved by voters; and

  • Employees still have a right to notice and a right to sue as further discussed below.

Proposition 24 a.k.a. California Privacy Rights Act 

The California Privacy Rights Act (“Prop. 24”) is a ballot initiative that will be voted on by California residents on November 3, 2020. Here is what businesses need to know about Prop. 24:

  • The ballot initiative process gives California citizens a way to propose laws without the support of the governor or the legislature.

  • California voters will approve or deny Prop. 24 on November 3, 2020.

  • Prop. 24 extends CCPA’s limitation on employee rights to January 1, 2023.

  • Creates a new enforcement agency/commission to enforce Prop. 24.

  • Creates a new category of data called “sensitive personal information.”

  • Expands rights to access, correct and delete personal information.

  • Adopts a set of fundamental principles on data management, including limitations on data collection and retention.

  • Prop. 24 permits the legislature to amend the CPRA through a majority vote of both houses, signed by the Governor, so long as “the amendments do not compromise or weaken consumer privacy.”

Brief History of CCPA’s Application to Employees 

When CCPA passed in June 2018, there was no reference to employees, and it was uncertain whether employees were “consumers” and entitled to rights under CCPA. Later that year, the assembly introduced AB 25, which initially was drafted to exempt employees from CCPA. By the time AB 25 worked its way through the legislative process, it modified CCPA to expressly include employees and provided limited rights under CCPA until January 1, 2021. (See Employee Privacy by Design: Guidance for Employers Beginning to Comply with the CCPA and Big Bang! California Expands Employee Privacy Rights.) In February 2020, the Attorney General proposed regulations that contemplated employee rights under CCPA. (See The Heart of Employee Right under CCPA: Attorney General Modified Guidance.)

What Employers Must Do in 2020 & 2021 to Comply With CCPA

Currently, CCPA and the Attorney General’s regulations give limited rights to job applicants, current and former employees, independent contractors, owners/directors/officers, medical staff, emergency contacts, and dependents, spouses, or other beneficiaries for benefit administration. (Cal. Civ. Code § 1798.145(h)(1).)

  • The Right to Notice at Collection. California applicants, current and former employees and contractors have the right to receive a notice from employers at or before personal information is collected. The notice must include the categories of personal information the business collects and the purposes for collection. (Cal. Civ. Code § 1798.100.)

  • Data Breaches & Statutory Damages. California residents have the right to institute a civil action and recover statutory damages in the amount of $100-$750 per consumer per incident if their nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices. (Cal. Civ. Code § 1798.150.)

AB 25 provides employees, applicants and contractors full rights under CCPA effective January 1, 2021, including the right to request access or deletion of their personal information. Under AB 1281, if CPRA does not pass, then employers will have until January 1, 2022 before workers will have full rights under CCPA. In the meantime, workers still have the right to notice and right to sue under CCPA.

What Rights Employees Will Have in 2023 if CPRA Passes

Unless there are additional revisions before 2023, CPRA will expand employee rights to include the right to access, correct, delete, and limit certain types of processing of their personal information. Below is a chart that highlights the differences between the 2020 notice at collection and the 2023 notice at collection if CPRA passes:

Notice at Collection

2020 Requirements

2023 Requirements

  1. Categories of personal information collected; and

  2. Purpose(s) for which each category of personal information is used.

  1. Categories of personal information collected;

  2. Categories of sensitive personal information collected;

  3. Purpose(s) for which each category is used;

  4. Whether such information is sold or shared; and

  5. The time the business intends to retain each category, or the criteria used to determine such period.

Anticipating & Adapting to Change

Wisdom shared by Charles Darwin in On the Origin of Species provides insight to California employers: it is not the strongest of the species that survives, nor the most intelligent, rather it is the one that is most adaptable to change. In the wake of constantly changing laws, here is actionable guidance to take now in anticipation of inevitable change to California law:

  • Know Your Data. Identify and inventory all data collected about applicants, current and former employees, contractors, emergency contacts, and dependents/spouses for purposes of administering benefits. Classify what data may be considered personal information (see Civ. Code § 1798.140(o)) or sensitive personal information (id. at § 1798.82) that, if breached, could give rise to notice obligations.

  • Secure Sensitive Data. Confirm all sensitive employee data is reasonably secured and there are appropriate controls in place to prevent unauthorized access, destruction, use, modification, or disclosure.

  • Mindfully Manage Vendors. Identify and inventory all vendors, benefits administrators, staffing agencies, or other providers who support HR operations. Make sure contracts with these vendors, at minimum:

    • Restrict vendors from retaining, using or disclosing personal information for any purposes other than performing the services for which they are engaged;

    • Require vendors to implement and maintain commercially reasonable security measures relative to the nature of the information disclosed; and

    • Provide for indemnification and a fair limitation on liability to cover violations or breaches.

  • Provide CCPA Notices. Develop and implement Notices at Collection as required by CCPA, including by updating employee privacy policies, application forms, and disclosures on third-party platforms to describe what personal information is collected and the purposes for which it will be used.

  • Prepare, Implement & Enforce Data Retention Policies & Schedules. Although CPRA requirements related to data retention policies are far off, many laws in effect now mandate retention for a set period of time. For example, Labor Code section 226 mandates retaining payroll records for three years. Developing a good retention schedule helps businesses manage risk by destroying data that is no longer of value and not required by law.

Garrett Stallins, an intern with Sheppard Mullin, and attorney Jason Heath contributed to this article. 

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 274



About this Author

Justine M. Phillips Labor & Employment Attorney Shepard Mullin Law Firm San Diego
Special Counsel

Justine Phillips is a special counsel in both Data Privacy & Security and Labor and Employment Practice Groups in the firm's San Diego (Del Mar) office.

Areas of Practice

Justine focuses her practice on cybersecurity, data privacy, employment litigation and counseling, and commercial litigation. Justine takes a holistic approach to assist clients on everyday issues related to electronically stored information including: cyber risk management and mitigation; eWorkforce policies; compliance with data regulations; retention/destruction...

Jessica R. Gross Privacy and Cybersecurity California Consumer Privacy Act of 2018 Labor and Employment

Jessica R. Gross is an attorney in both the Privacy and Cybersecurity and Labor and Employment Practice Groups in the firm's San Diego office.

Areas of Practice

Jessica is a rising professional practicing data security and privacy. She is a Corporate Member of the International Association of Privacy Professionals—the largest and most comprehensive global information privacy community—and is a Certified Information Privacy Professional on European Data Laws and the General Data Privacy Regulation (GDPR). Jessica assists all aspects of her clients’ cybersecurity needs. From sound information governance policies and regulatory compliance to incident response, Jessica helps businesses and individuals understand their obligations and address some of the biggest challenges of today’s digital world. With the expansion of laws on data privacy and cybersecurity, like California’s new Consumer Privacy Act of 2018, Jessica helps her clients stay on top of cutting-edge developments and mitigate risk. Her work also includes crafting pragmatic privacy policy and terms of use provisions for websites and apps in light of these everchanging state, national, and international laws.

Jessica assists the Labor and Employment Group with a range of issues related to employee privacy, including background checks, device and social media use policies, and other employment agreements such as proprietary innovation and information agreements. Given Jessica’s technical background, she is also able to assist in trade-theft secret investigations and matters.

Jessica also supports the firm’s eDiscovery needs and other general litigation matters. Managing complex electronic discovery issues can be daunting. Jessica can assist litigation counsel and trial teams with the collection, production, and presentation of electronically stored information. As a former judicial law clerk for a federal magistrate judge, Jessica is well-trained to effectively and efficiently manage discovery obligations and to resolve discovery