Employee Data Under the California Consumer Privacy Act
Several law firms issued client alerts following the adoption of the California Consumer Privacy Act (CCPA) about the application of the new California privacy law to employees at businesses. These employer law firms detailed the application of the law to employees based on the definition of consumer and the definition of personal information.
*** April 2019 Update: AB-25 in the California State Assembly calls for the exclusion of employees and certain other individuals with a business relationship from the definition of a consumer. At this stage, the bill is a proposal which may or may not be enacted. The core text in the bill to the definition of consumer is below in the section on AB25.***
Why might the CCPA apply to employee data?
The crux of the discussion about whether employee data is covered lies in the definition of Consumer provided by the California law. A consumer is defined in Section 1798.140(g) as a natural person who is a California resident. It does not require an individual to be making a purchase or acting in the sense of a traditional consumer of goods or services.
This interpretation is enhanced by the definition of personal information (PI). It is defined to explicitly include “professional or employment-related information.” Additionally, in the legislature’s findings and declarations attached to AB-375, it also mentions the fact that it is almost impossible to “apply for a job” without sharing personal information.
However, if this interpretation is correct, not all data collection about employees will be covered. For employee data to be protected, the business must be covered by the CCPA. In other words, it needs to be doing business in California and fall within one of the law’s three thresholds (annual gross revenue of $25 million, annual PI collection on 50,000, or 50% of annual revenue from selling consumers’ PI).
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
What kind of information will businesses need to be careful about?
Job Seekers: Businesses will need to make appropriate disclosures available to job seekers at or before the point of collection of their information.
Disclosures to Third-Parties: If employee data is sent to third-parties, the business will need to take appropriate steps to limit commercialization or provide their employees the ability to opt out.
Access to Personal Information in HR Records: Employees will be entitled to the data subject access rights granted by the California law. This would include the personal information contained in their human resources records collected as part of their employment.
Will the California Legislature Amend the Law to Exclude Employees?
California will have the opportunity to exclude employee data over the next year if they want to do so. The sponsors of the bill have already indicated that substantive changes to the bill would be taken up in 2019 before the 2020 effective date. So this change could be tacked on to additional amendments, if they had the desire to do so.
However, the California legislature has already declined to make the change as part of its previous CCPA amendment, SB 1121. It is not clear if excluding employee data would have been an appropriate change as part of this bill for “technical corrections” only legislation. So this could still be a subject of debate as the next potential round of amendments are considered.
Another possibility is that the legislature leaves the job to the California Attorney General. The privacy law gives the Attorney General the ability to adopt regulations necessary to further the purposes of the law. As the Attorney General solicits broad public participation as part of a rulemaking process and adopts regulations, it could decide to exclude employees from the definition of consumers.
We will be closely following the scope of the CCPA with respect to employees and any other amendments that the legislature undertakes in the next year.
This proposed bill adds the following text to the definition of consumer:
(2) “Consumer” does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.
Contact Clarip for Help with Your Privacy Program
The Clarip privacy software and team are available to help improve privacy practices at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, we can help through our modular GDPR software. Whether you are starting the process with GDPR data mapping automation, need privacy impact assessment software, or looking to meet ePrivacy requirements with cookie management software, Clarip can help strengthen your privacy program.
If CCPA compliance in 2020 is on your radar, ask us about our California Consumer Privacy Act software. Improve efficiency of responses to data subject access requests with our DSAR software, or provide the right to opt out of the sale of personal information with our consent management platform.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.