Welcome to our post highlighting key compliance issues under the California Consumer Privacy Act (CCPA). For a broader look at CCPA, please read our prior posts regarding applicability, gap assessments, and the recent amendments, and remember to register for our upcoming webinar covering the final requirements of the law on October 17, 2019. Stay tuned for our next post, “I’m a B2B Company – What Do I Need to Do under CCPA?”
If CCPA applies to your organization and you employ California residents, you may be rejoicing after the recently passed amendments. On September 13, 2019, the California Senate and Assembly passed bills including a limited moratorium for specific types of worker data (as defined below) and the bills are expected to be signed by the Governor soon.
The carve-out is generous, but it is not unlimited. In short, using worker data for any purpose other than employment-related purposes will likely result in the data falling outside of the scope of the exemption, and employers are still required to provide notice.
Unless the moratorium is extended or a permanent carve-out is adopted in the next legislative session, CCPA will apply in full to all worker data effective January 1, 2021.
Scope of the Exemption under the Moratorium
Personal information collected in the course of a California resident acting as a job applicant, employee, owner, director, officer, medical staff, member, or contractor of a business (i.e., “worker data”) and used solely in the employment context is exempt from compliance with certain CCPA requirements for one year (until January 1, 2021). Using worker data for any purpose outside of the work context will likely result in the data falling outside of the scope of the exemption, which would lead to the full applicability of CCPA requirements to worker data as of January 1, 2020.
Under the moratorium, the following CCPA rights and obligations will not apply during the period of January 1 through December 31, 2020:
- the right to access and data portability,
- the right to deletion,
- the right to opt-out,
- the right to not be discriminated against for exercising a right under CCPA, and
- the obligation to provide training.
The obligation to provide notice under CCPA is outside of the scope of the exemption and will therefore apply as of January 1, 2020 to all worker data processed by organizations qualifying as a “business.” In addition, the private right of action for data breaches also applies.
What Do Employers Need to Do Now?
If your workers are covered by the CCPA, prior to January 1, 2020, you should:
Know your data: As CCPA requirements are predicated on how you collect, use, and share worker data, in order to comply with CCPA, you will need to take stock of your data practices. This is typically achieved through data inventory and mapping. To the extent that worker data has already been mapped for compliance with other laws (such as the General Data Protection Regulation (GDPR)), you may be able to leverage information already on hand.
- Understand if the limited moratorium applies to all categories of worker data that your company processes: Using worker data for any purposes other than employment-related purposes will likely result in the data falling outside of the scope of the worker data moratorium. Therefore, identifying situations where third parties are allowed to use worker data for purposes other than employment is essential (e.g., worker data shared with third-party benefits providers to market their services to employees).
- Adjust practices or provide full rights: If you are sharing or using worker data outside of the work context, adjust your practices to take full advantage of the worker data moratorium. Otherwise, you should prepare to provide full CCPA rights to your workers as of January 1, 2020.
- Provide notice: Notice must be provided to workers at or before the time of collection of worker data. Consider how you will provide notice to employees (e.g., intranet) vs. job applicants (e.g., online portal). A narrow reading of the notice requirement may allow for limited disclosures for data that falls within the scope of the moratorium, but the best practice is to provide a full CCPA privacy notice.
- Reasonable security: Implement “reasonable” security measures to protect worker data from data breaches, which will serve as an affirmative defense in private rights of action involving worker data and will help to avoid potential damages up to $750 per worker per incident.
- Review record retention policies and practices: Evaluate policies and practices to identify the delta between how long you are required to retain data and how long you actually keep it. Limiting retention to the extent possible now will significantly lessen the burden of full compliance with CCPA rights in 2020 and beyond, and mitigates risk in the event of security breaches.
- Review contracts with vendors: Identify and review contracts with vendors that process worker data. While CCPA does not technically require adding specific language to such contracts, there are certain safe harbors for organizations that do. Additionally, operationalizing CCPA rights (such as access or deletion), will require the cooperation of your vendors and it is advisable to formalize your expectations via contract.
- Training: Although the obligation to provide training in regards to worker data is delayed by the worker data moratorium until January 1, 2021, it would be prudent for employers to take the steps necessary to ensure that their human resources staff is sufficiently knowledgeable to be able to respond to questions related to the applicability of the worker data moratorium during 2020.
How We Can Help
Squire Patton Boggs’ Data Privacy & Cybersecurity Group and our Labor and Employment Group can work together to help you determine whether, and to what extent, CCPA will impact your business and your data practices, particularly with respect to your employees, as well as assist you in your overall CCPA compliance efforts.