We CCPA Through a Glass, Darkly: Employers' Compliance with the New California Consumer Privacy Act in 2020 and Beyond

On January 1, 2020, the California Consumer Privacy Act (the “CCPA”) will officially become California law. The law will impose myriad new obligations upon certain businesses regarding their collection, use, storage, and disclosure of consumers’ personal information.[1] While many observers have directed their attention toward the effects the CCPA would have on a business’s obligations regarding the collection, use, and retention of their California customers’ data, businesses have also expressed concern regarding how they should handle their California employees’ data. Businesses have prudently observed that the CCPA defines consumer broadly as “a natural person who is a California resident,”[2] which means CCPA applies not just to their California customers but also to their California employees.

California recently clarified employers’ CCPA obligations as to their employees. First, the California Legislature enacted AB 25, which exempted employers from all of the CCPA’s requirements with respect to their employees (with two significant exceptions) until January 1, 2021. California Governor Gavin Newsom signed AB 25 into law on October 11, 2019. Second, on October 10, 2019, California Attorney General Xavier Becerra released proposed regulations to the CCPA for public comment. This Alert examines the effects both of these actions will have on employers’ obligations toward their California employees’ personal information.

AB 25 Postpones Employer Obligations as to Most Employee Personal Information

As mentioned above, AB 25 exempts businesses from the majority of the CCPA’s requirements as they apply to employee data until January 1, 2021.[3] Specifically, AB 25 defers the CCPA's application as to “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, . . . or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, . . . or contractor of that business.”[4] Businesses should therefore be careful to ensure that information collected from their employees is indeed solely collected and used in the context of their employment or else this data may still be subject to the CCPA as of January 1, 2020. Furthermore, businesses should pay close attention to legislative developments out of Sacramento during 2020 because the California Legislature is expected to use the year-long deferment provided by AB 25 to consider and potentially pass distinct legislation that will address employers’ obligations with respect to their employees’ personal information.

Businesses should note, however, that AB 25 did not exempt employers from two significant provisions in the CCPA. Employers therefore are required to comply with these two provisions on January 1, 2020.The first provision, section 1798.100(b), requires the employer to inform the employee/job applicant either at or before the time it collects the employee’s data about the categories of personal information the employer is collecting and the purposes for which the categories of personal information will be used.

The second provision, section 1798.150, allows an employee whose personal information is accessed, stolen, or disclosed without the employee’s authorization because the company failed to implement and maintain reasonable security procedures and practices to bring a civil action against the company. This provision poses considerable liability risks to employers, particularly in the class action context, because the employer can face damages ranging from $100–$750 per employee per incident or the actual damages incurred, whichever amount is greater.[5] The statute permits the court discretion to consider a variety of factors in determining the appropriate amount of statutory damages, including “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.”[6] Employers should therefore ensure that they have security measures in place to protect the dissemination of employee data and that these security measures are effective to diminish the likelihood of facing costly litigation.

Proposed Regulations Provide Greater Guidance to Employers

The attorney general’s office has also attempted to clarify businesses’ obligations under the CCPA by releasing proposed regulations that interpret the law, some of which will apply to employers’ treatment of employee personal information effective January 1, 2020, despite the deferral provided with respect to other provisions by AB 25. Although there are no regulations interpreting section 1798.150 to give greater clarity regarding the civil action provision, the Attorney General provides several clarifications regarding a company’s obligations as to customer notice under section 1798.100(b). This notice requirement applies to employees, and as mentioned above, is not deferred. The attorney general begins the regulations governing notice at collection to consumers by describing why the notice at collection exists: “to inform consumers at or before the time of collection of the categories of personal information to be collected from them and the purposes for which the categories of personal information will be used.”[7] For this reason, the attorney general states that the company’s notice at collection must be “designed and presented to the consumer in a way that is easy to read and understandable to an average consumer.”[8] The attorney general then specifies several design and presentation requirements to assist companies in their efforts to comply with their notice at collection obligations:

• Use plain, straightforward language and avoid technical or legal jargon.
• Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable.
• Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers.
• Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.
• Be visible or accessible where consumers will see it before any personal information is collected. For example, when a business collects consumers’ personal information online, it may conspicuously post a link to the notice on the business’s website homepage or the mobile application’s download page or on all webpages where personal information is collected. When a business collects consumers’ personal information offline, it may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to the web address where the notice can be found.[9]

The regulations also reiterate the CCPA’s requirement that a company must provide its employees with new notice each time it collects a new category of personal information belonging to employees or uses collected categories of personal information for a new purpose before the collection or use occurs.[10]

AB 25’s Effects on the Proposed Regulations Requires Further Clarification

Although the regulations provide a helpful start for employers in evaluating some aspects their remaining responsibilities under the CCPA, the regulations also create some confusion for employers in other areas. This confusion is significantly due to the AB 25’s enactment occurring one day after the release of the proposed regulations. Section 999.305 of the proposed regulations, for example, states that a business that fails to provide a consumer with notice at or before collection of the consumer’s personal information cannot collect personal information from the consumer.[11] An employer who failed to provide its California employees with notice of the categories of personal information it is collecting could therefore, arguably, not collect that information. This application directly conflicts with both federal and California law, each of which impose unique requirements on employers to obtain information from employees and maintain personnel records of those employees. Resolving conflict between the CCPA and federal/California laws is one of the major reasons that the California Legislature passed AB 25 and deferred application of the majority of the CCPA’s requirements to California employers until 2021. This regulation as currently constituted and as applied to employers resurrects some of the problems AB 25 attempted to extinguish.

Furthermore, there are several issues regarding what information needs to be included in the notice at collection because of AB 25’s exemptions. Section 999.305, for example, requires businesses to provide links to their privacy policies in the notice at collection.[12] Section 999.308 of the proposed regulations then outlines the requirements for a company’s privacy policy to be legally compliant, which include that a company’s policy must explain the customer’s rights to delete and/or opt-out of collection of personal information.[13] AB 25, however, provides that the CCPA provisions allowing customers to delete and/or opt-out of collection of their personal information do not apply when the company collects and uses the information solely within the context of the customer’s employment with the company. The regulations provide no guidance as to whether a company would need to provide its employees with a privacy policy that follows all of section 999.308’s requirements (including those that are not applicable to it), whether the company would need to provide a truncated version of the privacy policy (and if so, what provisions would need to be included and which ones could be omitted), or whether the company needs to provide its employees with a privacy policy at all so long as they provide the notice at collection. Similarly, the regulations do not clarify whether businesses are required to include “Do Not Sell My Personal Information” or “Do Not Sell My Info” links in the notices at collection to their employees in the aftermath of AB 25 as they are required to do for ordinary consumers.[14]

Conclusion

With the attorney general’s release of the proposed regulations to the public, the regulations are now in the notice-and-comment period. The attorney general is holding four public hearings in cities throughout California before the notice-and-comment period closes to receive input from stakeholders in the state regarding any changes that should be made to the regulations. The first public hearing will be in Sacramento on December 2, 2019, followed by Los Angeles on December 3, San Francisco on December 4, and Fresno on December 5. The hearings begin at 10:00 a.m. each day. The attorney general’s office requests all participants interested in attending the hearing to register online. The attorney general’s office has posted the location of each public hearing and how to submit written comments on its website. The notice-and-comment period for the proposed regulations ends on December 6, 2019, at 5:00 p.m., PST. Employers would be wise to attend, learn, and comment as they deem appropriate. Additionally, to the extent the Legislature considers either amendments to the CCPA or employer-focused data privacy legislation in 2020, employers would be prudent to provide input as they deem appropriate.

Notes:

[1] K&L Gates has a robust privacy, data protection, and information management practice and frequently publishes articles on privacy law issues, including the CCPA. For more information on the firm’s capabilities in this area of the law, please see http://www.klgateshub.com/search/?search=privacy.

[2] See Cal. Civ. Code § 1798.140(g).

[3] See Cal. Civ. Code § 1798.145 (g)(1)(A).

[4] Id.

[5] See Cal. Civ. Code § 1798.150(a)(1)(A).

[6] Cal. Civ. Code § 1798.150(a)(2).

[7] Cal. Code Regs. tit. 11, § 999.305(a)(1) (proposed Oct. 11, 2019).

[8] Cal. Code Regs. tit. 11, § 999.305(a)(2) (proposed Oct. 11, 2019).

[9] Cal. Code Regs. tit. 11, § 999.305(a)(2)(a)–(e) (proposed Oct. 11, 2019).

[10] Compare Cal. Code Regs. tit. 11, § 999.305(a)(3)–(4) (proposed Oct. 11, 2019) with Cal. Civ. Code § 1798.100(b).

[11] See Cal. Code Regs. tit. 11, § 999.305(a)(5) (proposed Oct. 11, 2019).

[12] See Cal. Code Regs. tit. 11, § 999.305(b)(4) (proposed Oct. 11, 2019).

[13] See Cal. Code Regs. tit. 11, § 999.308(b) (proposed Oct. 11, 2019).

[14] See Cal. Code Regs. tit. 11, § 999.305(b)(3) (proposed Oct. 11, 2019).