California Consumer Privacy Act and Employers

Part 2: How Employers Can Comply

September 5, 2018
Legal Update

You are an employer that meets one of the three threshold requirements listed in Part 1 and employs at least one person who resides in California. Now what?

This is the second in a two-part series on the California Consumer Privacy Act’s (CCPA’s) impact on employers. In Part 1, we addressed whether employers were caught up in the CCPA, concluding that, as currently written and enacted, many employers with California-resident employees will likely be required to comply with the CCPA’s requirements. View part 1 on the CCPA's applicability to employers within and outside of California.

What rights does the CCPA provide to your employees?

The CCPA was crafted to ensure, subject to certain exemptions, the privacy of California consumers’ personal information, as defined, through various affirmative rights granted to such consumers. As we discussed in Part 1, the definition of “consumers” is drafted broadly enough to include California employees. In the employer/employee context, those rights include the following:


What employer-held information is the subject of these rights?

The above-enumerated rights are applicable to “personal information” that the employer collects about employees. The definition of “personal information” in the CCPA is expansive and includes, among other things, the following information that is likely to be collected by employers:


How do employers comply with the CCPA?

Employers must implement privacy policies that explain these rights by the CCPA to employees and also establish procedures so that employees can exercise their rights. These requirements have the potential to be quite burdensome on employers. The right to access is very similar to the access rights granted by the General Data Protection Regulation (GDPR), such that employers who have implemented GDPR compliance policies and processes will not be adversely impacted by this requirement.

However, the other five rights granted to consumers by the CCPA are not identical to the rights granted by the GDPR. For example, the “right to erase” or to request a business to delete the consumer’s personal information is qualified by nine exemptions to compliance with the request, some of which will be relevant to the employer-employee relationship. For example, an employer would not be required to delete data – even when an employee requests the deletion – where the employer is required to maintain the employee’s personal information “as reasonably anticipated within the context of a business’s ongoing business relationship” with the employee and to “comply with a legal obligation.” One likely use of this exemption concerns the requirements under state and federal law for employers to maintain certain information relating to the personnel file. Under the federal Age Discrimination in Employment Act, employers must maintain payroll records including name, address, date of birth, occupation, and rate of pay for three years. This type of legal obligation can eliminate the employee’s right to have his or her information deleted, at least during the mandated record retention period. Businesses will have to evaluate their record-retention practices to determine whether they are legally mandated or whether records are retained for longer periods than necessary.

The right to know is another CCPA right of significance in the employment context. The CCPA grants the right to know what information has been collected and what information has been shared, either by selling it or disclosing it for a business purpose. It is in cases involving the sale of a consumer’s personal information to a third party that a consumer has the right to opt out. If an employer sells its employees' personal information to a third party, the employer will need to implement a process to permit employees to opt out prior to the sale.

What are the penalties for non-compliance?

The CCPA does not create a private right of action except in the case of a data breach, where it allows for statutory damages of up to $750 per incident of unauthorized access, theft, or disclosure of non-encrypted or non-redacted personal information. However, the California attorney general is granted enforcement authority and may impose a civil penalty of up to $7,500 for each violation where the state finds an employer has intentionally violated the CCPA. Alleged violators are entitled to 30 days’ notice to cure any deficiencies.

Take-away

The California legislature still has time to amend the CCPA and provide clear guidance as to whether employers are covered. Until then, employers who are likely covered should begin to prepare policies and procedures to meet the requirements of the CCPA, or they risk enforcement action or civil liability in the event of a data breach.

For more information, contact Jane Hils Shea, Melissa Kern, Brice Smallwood, or any other member of Frost Brown Todd’s Privacy and Information Security Team.

Attorneys

Practices

Industries

Top