News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Reports and Surveys

Access all reports and surveys published by the IAPP.
Resource Articles

The IAPP publishes longform, web-based resource articles to provide in-depth analysis on relevant topics in the privacy space.
White Papers

Access all white papers published by the IAPP.
Infographics

Access all infographics published by the IAPP.
Podcasts

The Privacy Advisor Podcast provides interviews with the privacy world's most interesting voices.
Videos

The IAPP's video library provides insights, reactions and opinions on a range of topics, including regulatory developments, areas of privacy operations management and more.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
Privacy 101

On this page, you’ll find articles and tools to help you get a basic understanding of the job of the privacy pro and data protection laws and practices around the globe.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Employers receive last-minute reprieve from the most onerous CCPA compliance obligations Related reading: Strategies to ensure compliance with global data minimization requirements

rss_feed

""

Just hours before California’s 2019 legislative session ended Sept. 13, the California Assembly approved Assembly Bill 25 that, if enacted, would substantially narrow the application of the California Consumer Privacy Act to employers. Understanding the contours of these limitations is critical for employers as they prepare to comply with the CCPA before it goes into effect Jan. 1, 2020.

What personal information does AB 25 exclude from most aspects of the CCPA?

The CCPA generally applies to all “personal information” of “consumers.” “Consumers” are defined as California residents, and “personal information” is any individually identifiable information about them. However, AB 25 excludes the following categories of California residents' personal information from the CCPA's scope: 

  1. Human resources data: Personal information of California residents in their capacity as job applicants, employees, individuals who are independent contractors, corporate officers and directors; individuals with a majority ownership interest in a business; and physicians, surgeons and dentists who are medical staff members (collectively referred to as “workforce members”).
  2. Emergency contacts: Personal information of California residents identified as a workforce member’s emergency contact.
  3. Third-party benefits information: Personal information used to administer benefits for California residents who are entitled to benefits from the employer by virtue of their relationship to a workforce member, such as spouses or dependents.

How does the CCPA apply to employers?

While AB 25 exempts employers from most aspects of the CCPA, employers remain subject to the CCPA in several important ways.

Exposure for information security breaches

The CCPA establishes a process that allows California residents to recover between $100 and $750 in statutory damages for certain information security breaches. For the process to apply, the breach must have two characteristics. 

First, it must involve the “unauthorized access and exfiltration, theft, or disclosure of” personal information that would trigger data breach notification obligations under California’s notification law, such Social Security number, driver’s license number or medical information (collectively referred to as “trigger data”). Any such breach would trigger the obligation under California’s breach notification law to notify affected individuals and, if the breach involved more than 500 California residents, to notify California’s attorney general.

Second, the breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The CCPA itself does not define “reasonable security procedure and policies.” However, in the California Data Breach Report, published in February 2016, California’s attorney general took the position that the “20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security” for personal information.

Before instituting an action to recover statutory damages on an individual or classwide basis, the affected individual must provide the business with 30 days’ written notice and an opportunity to cure any alleged failure of information security. If the business timely cures “and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the affected individual will no longer qualify to recover statutory damages on an individual or class-wide basis.

This provision likely increases the employers’ exposure with respect to the handling of workforce members' personal information. Many security breach class actions to date have failed because affected individuals could not adequately plead or prove that an information security breach proximately caused any cognizable harm to affected individuals. The statutory damages provisions may be construed to eliminate the need to prove such harm. Even at the rate of $100 per affected individual, a relatively small breach could result in substantial exposure for statutory damages.

Mandatory notice to workforce members regarding data collection

While workforce members are excluded from virtually all of the CCPA’s benefits for consumers, AB 25 specifically provides that workforce members must be informed “as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.” In addition, the CCPA requires a new notice when previously collected personal information is used for a previously undisclosed purpose.

Employers’ collection of personal information other than in their capacity as employers

Employers cannot lose sight of their CCPA compliance obligations other than in their capacity as employers. Most personal information collected from California residents who are not workforce members or from workforce members other than in that capacity — for example, from an employee in her capacity as a website user or customer — will be subject to all the CCPA’s compliance requirements. A detailed description of the CCPA as applied to the personal information of non-workforce members is beyond the scope of this article.

Is the limitation on the CCPA’s application to employers permanent?

Under AB 25, the limitation “sunsets” or automatically terminates unless legislative action is taken by Jan. 1, 2021. According to a committee report prepared by the bill's sponsor Assemblymember Ed Chau, D-Calif., the one-year period is intended to provide stakeholders with the opportunity to draft a “more narrowly tailored response” to the issues raised by the application of the CCPA to workforce members. 

What are the practical implications for employers?

California’s governor has until Oct. 13, 2019, to sign AB 25 into law. Assuming Gov. Gavin Newsom, D-Calif., does so, employers should consider taking the following steps:

  1. Review information security policies and procedures. The review should confirm that policies and procedures are adequate to reduce, to the greatest extent feasible given available resources, the risk of a security breach involving trigger data. Employers may also want to assess their policies and procedures against the "20 information security controls identified by the Center for Internet Security."
  2. Identify relevant points of collection of personal information. Employers collect workforce members' personal information through different processes and at different points in their relationship with different categories of workforce members. Employers should inventory these points of collection so they can determine when they need to deliver the required notice.
  3. Gather the information necessary to prepare required notices. Employers should gather the categories of personal information collected about each relevant category of workforce member and identify the purposes for collection.
  4. Determine the most effective way to provide notice at or before the point of collection. For example, employers may decide to provide notice to all job applicants in an online applicant privacy policy. By contrast, notice to employees may be spread across several documents, such as a general notice for onboarding employees and notices tailored to specific types of data collections, through the collection of personal information through a timekeeping app or monitoring the employer’s information systems.
  5. Prepare and deliver notices. While the CCPA mandates the minimum required content of the notice, the CCPA, as applicable to the personal information of workforce members, does not specify the form of the notice or the method of delivery. The nature and variety of the points of the employer’s collection most likely will drive form and method. For example, employers that track the location of field service employees may choose to deliver notice concerning GPS tracking only in connection with those employees’ download of a GPS tracking app to their mobile device.
  6. Implement internal policies. Employers must ensure their notices keep pace with changes in their data-handling practices. Anticipating changes in data handling and providing prior notice, however, will require awareness and coordination among different departments. For example, a manager may not realize that posting photographs of employees on an “employee of the week” intranet page requires prior CCPA-compliant notice. To ensure compliance, employers should consider implementing internal policies and provide training.
  7. Watch for upcoming developments. California Attorney General Xavier Becerra is in the process of drafting regulations to implement the CCPA. When the regulations are finalized, employers should check if the attorney general has provided additional guidance on the limited application of the CCPA to employers. Employers should also watch for changes to the sunset provision. Legislative developments may narrow the scope of CCPA obligations that fall on employers starting Jan. 2, 2021.

Photo by Joseph Barrientos on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Kwabena Appenteng, CIPP/E, CIPP/US IAPP Member Contributor
Headshot Philip Gordon IAPP Member Contributor
Headshot Zoe Argento, CIPP/US IAPP Member Contributor
Tags
Government
U.S.
Employee Privacy
Privacy Law
1 Comment

If you want to comment on this post, you need to login.

  • comment William Casti • Nov 20, 2019 
    These amendments to the CCPA were signed into law on Oct 13, 2019 by Gov. Newsom:
CLARIFYING AMENDMENTS & EXEMPTIONS:  
Assembly Bill 1355 exempts deidentified or aggregate consumer information from the personal information definition; creates a one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
DATA BROKER REGISTRATION: 
Assembly Bill 1202 requires data brokers to register with the California Attorney General.
EMPLOYEE EXEMPTION: 
Assembly Bill 25 changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
CONSUMER REQUEST FOR DISCLOSURE METHODS: 
Assembly Bill 1564  requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number, but provides that, for a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, is only required to provide an email address for submitting CCPA requests.
VEHICLE WARRANTIES & RECALLS: 
Assembly Bill 1146  exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
PUBLICLY AVAILABLE INFORMATION: 
Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The amendment also clarifies that the definition of “personal information” excludes deidentified or aggregate consumer information.
Data Breach Notification:  In the context of data breaches, Assembly Bill 1130 revises the personal information definition to add specified unique biometric data, tax identification numbers, passport numbers, military identification numbers, and unique identification numbers issued on a government document in addition to those for driver’s licenses and California identification cards to these provisions. The amendment also authorize inclusion in the data breach notification involving biometric data, instructions on how to notify other entities that used the same type of biometric data as an authenticator to no longer rely on data for authentication purposes.
Related Stories
California state court sets hearing on CPPA regulations process
The Superior Court of California, County of Sacramento, scheduled a 21 June hearing for arguments regarding the California Privacy Protection Agency's rulemaking authority. The California Chamber of Commerce is challenging whether the agency has authority to promulgate future regulations without all...
Read More
AEPD, regional DPAs issue guidance for Wi-Fi tracking technology
Spain's data protection authority, the Agencia Española de Protección de Datos, issued joint guidance with three regional DPAs regarding entities seeking to deploy Wi-Fi tracking technology, which allows mobile devices to be tracked through the Wi-Fi signals they emit. The DPAs said before such tech...
Read More
FTC to begin BetterHelp settlement disbursement
The U.S. Federal Trade Commission announced approximately 800,000 consumers will be notified of refunds from a USD7.8 million privacy settlement between the agency and online therapy provider BetterHelp. The 2023 settlement covered claims that BetterHelp used consumers' sensitive health information ...
Read More
Singapore approves Cybersecurity Act updates
The Straits Times reports on a proposed update to a law giving Singapore's Cyber Security Agency more oversight of high-risk computer systems. The bill would require critical information infrastructure operators to disclose any outages and attacks that affect their servers under the Cybersecurity Ac...
Read More

Related Stories
Tags
Government
U.S.
Employee Privacy
Privacy Law
Recent Comments