A bill giving employers an extra year to comply with much of the sweeping new California Consumer Privacy Act (CCPA) was recently signed by Governor Gavin Newsom (D). This amendment (AB 25) to the CCPA postpones most, but not all, employer obligations under the law until January 1, 2021.
The bulk of the CCPA, enacted in June 2018, takes effect January 1, 2020, with enforcement beginning July 1, 2020.
Basically, the CCPA (Cal. Civ. Code §1798.100 et seq.) applies to all personal information that a business collects from California residents. “Personal information” is defined quite broadly, to encompass any “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Businesses must inform individuals, at or before the point of collection, what categories of personal information they collect and the business’s purpose in collecting that information. Individuals have the right to know, on request, what information a company holds on him or her, where and why it was obtained, and how it is being used. Other individual rights include purpose limitation, deletion, opt-out of sale, and nondiscrimination.
CCPA violations may bring civil penalties of up to $7,500 per violation, and affected individuals may also sue for up to $750 per consumer per incident. Regulations to implement the CCPA were proposed October 10 by California Attorney General Xavier Becerra.
Two CCPA requirements take effect January 1, 2020, with respect to employee data: reasonable security measures to protect employee data (both physical and electronic), and disclosure of the categories of personal information collected and the business purposes for which it is collected. The remaining provisions take effect January 1, 2021. Another amendment signed October 11 (AB 1355) exempts certain business-to-business communications but, again, only until January 1, 2021.
First Steps
“Employers have their work cut out for them, but the governor’s signing of AB 25 gives you a one-year reprieve from having to comply with most of the CCPA’s requirements,” observed Fisher Phillips attorneys Benjamin Ebbink and Usama Kahf in a blog post. To meet the CCPA requirements that do take effect in 2020, employers subject to the law should do the following by the end of this year:
- “Data map” all employee data, including where it is stored, who uses it, and how;
- Undergo a security audit to ensure that reasonable physical and electronic security measures are in place to protect private information; and
- Draft a disclosure to employees and job applicants that describes the types of personal information collected about them and the purposes for which it is used.
Who Is Covered
A business is subject to the CCPA if it does business in California, collects personal information, and (1) has annual gross revenues exceeding $25 million; (2) annually buys or sells 50,000 or more Californians’ information for commercial purposes; or (3) gets most of its revenue from selling consumers’ personal information.
The phrase “doing business in California,” while not defined, seems to cast a broad net, according to Ebbink and Kahf. “For purposes of CCPA coverage of employee data, if a non-California business that fits the revenue threshold or one of the other criteria has one employee in the state, that business must comply with the CCPA with respect to that employee’s personal information.”
David A. Slaughter, JD, is a Senior Legal Content Specialist. He focuses on providing, editing, and updating content related to employee benefits and privacy compliance, including the Thompson HR benefits products. Before coming to BLR, he was an employee benefits compliance editor with Thompson Information Services. Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar. Questions? Comments? Contact David at dslaughter@blr.com for more information on this topic. |