May 24, 2022

Volume XII, Number 144


May 23, 2022

Subscribe to Latest Legal News and Analysis

Proposed Amendment to California Consumer Privacy Act (CCPA) Reaffirms Employer Notice Requirement and Employee Private Right of Action for Failure to Implement Cybersecurity Safeguards to Take Effect January 1, 2020

The recently proposed amendment to the California Consumer Privacy Act (CCPA) should be a wake up call to those employers who are not already actively planning for the January 1, 2020 compliance deadline.

The amendment reaffirms that employers must (i) provide employees with notice of the categories of personal information collected and the purposes for which the information shall be used at or before collection; and (ii) implement reasonable cybersecurity safeguards to protect certain employee personal information or risk employee lawsuits, including class actions seeking statutory damages, for data breach under a private right of action provision. Employers cannot collect additional employee information or use collected information for different purposes than originally noticed without giving supplemental notice.

Although the amendment would grant a one-year moratorium before certain rights of employees contained in the original legislation are effective (e.g., right by employees to receive a copy of the personal information collected and to deletion in certain circumstances), the private right of action to recover minimum statutory damages or actual damages for unauthorized access and exfiltration due to a failure to maintain reasonable cybersecurity safeguards, and notice of collection requirements, were retained in the employment context.

In June 2018, California enacted the CCPA to protect California residents’ personal privacy from organizations that are in the business of buying and selling personal information or might otherwise collect personal information in their business activities.  For an in-depth analysis of the Act’s provisions, see here. The Act becomes effective on January 1, 2020, so businesses still have time to become compliant. EBG has prepared a compliance flow chart highlighting key thresholds and requirements, see here.

After the Act’s passage, objections were raised by the business community who complained about certain of the Act’s requirements. Of particular concern was that the Act covered personal information collected in the course of the employment relationship. Employers pushed for relief from the CCPA’s requirements as proposed in the original bill.

Recently, there has been a legislative effort to address these concerns from employers, with a proposed amendment providing that employee personal information collected “solely” for employment purposes is exempt from certain of the Act’s requirements until January 1, 2021.  See 7/8/2019 Senate Judiciary Committee and 4/19/2019 Assembly Committee on Privacy and Consumer Protection Reports. In other words, should this amendment pass, the rights by employees to deletion of and to receive copies of their personal information (see1798.100(c); 1798.105)) and requirements of the Act other than1798.100(b) (notice of collection) and 1798.150 (private right of action for data breach) would not apply to solely employment-related data for one additional year.

The legislators, however, retained intact the provision providing employees with a private right of action for data breach while also emphasizing that the cybersecurity protections apply to the collection of certain employee personal information as defined in Section 1798.81.5 (e.g., social security number, medical information, health insurance information, username and password). Although the exemption from certain of the Act’s requirements is garnering attention, the reaffirmation of the employer’s “duty to implement reasonable security practices and procedures” and providing a private right of action with minimum statutory penalties “per consumer per incident” (even in the absence of actual damage) for the failure to do so leading to a data breach is more notable.  Employers should immediately proceed to conducting a risk assessment of its collection and use of employee personal information and implementing reasonable cybersecurity safeguards. Employers should also prepare for providing employees with notices of collection practices required by January 1, 2020, and develop written policies and procedures concerning the collection and use of employee personal information.

©2022 Epstein Becker & Green, P.C. All rights reserved.National Law Review, Volume IX, Number 204

About this Author

Brian G. Cesaratto, Epstein Becker, Employment benefits Litigation Lawyer, Workforce Management attorney

BRIAN G. CESARATTO is a Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Cesaratto's practice includes complex commercial litigation, criminal defense, internal and law enforcement investigations, employment litigation, and computer and electronic data misappropriation and forensics.

Patricia M. Wagner, Epstein becker green, health care, life sciences

PATRICIA M. WAGNER is a Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm's Washington, DC, office. In 2014, Ms. Wagner was selected to the Washington DC Super Lawyers list in the area of Health Care.

Ms. Wagner's experience includes the following:

Advising clients on a variety of matters related to federal and state antitrust issues 

Representing clients in antitrust matters in front of the Federal Trade Commission and the United States Department of...

Senior Attorney

DEANNA L. BALLESTEROS is a Senior Attorney in the Employment, Labor & Workforce Management and Litigation practices, in the Los Angeles office of Epstein Becker Green. Ms. Ballesteros litigates before courts and administrative agencies at the federal, state, and local levels on behalf of both private and public sector entities.

Ms. Ballesteros represents such public sector bodies as municipalities and local governmental administrative entities.

She also advises and litigates on behalf of clients in a wide range of private sector industries,...

Matthew Savage Aibel, Epstein Becker Green, Trade Secrets Attorney, Breach of Non-Compete Agreements Lawyer

MATTHEW SAVAGE AIBEL is an Associate in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Aibel:

  • Assists in the representation of clients in complex commercial litigation, business disputes, and breach-of-contract matters

  • Provides assistance with litigation matters involving the breach of non-competition and non-solicitation agreements, the misappropriation of trade secrets, and...