Despite its name, the California Consumer Privacy Act, which goes into effect Jan. 1, 2020, potentially could impose substantial compliance burdens on and create significant class-action exposure for every employer that employs California residents and has more than $25 million in annual gross revenues. The compliance burdens and class-action risk, however, are not a “sure thing.” This is because the act, as written, might not apply to employers at all, and a pending bill to amend the act and/or upcoming regulation could establish that the CCPA does not apply to employers’ own human resources data. This uncertainty creates a perilous waiting game for employers that must balance the cost of implementing a CCPA compliance program for HR data against the risk that the time, effort and resources invested in that program could be wasted. This article is intended to help potentially impacted employers to make strategic decisions about how to address the CCPA.
The uncertainty: Does CCPA apply to HR data?
In an article published shortly after the CCPA’s enactment, we explained that while the CCPA’s plain language covers HR data, the act itself offers many indications, such as the absence of the words “employer” and “employee” from the entire statute, that that the California legislature never intended for HR data to fall within the act’s scope. Given the extreme disconnect between the CCPA’s plain language and the apparent legislative intent, it should come as no surprise that a bill currently is pending in the California legislature to expressly exclude HR data from the CCPA’s scope.
California Assembly Bill 25 would add the following exclusion to the Act’s definition of “consumer”:
Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of ... the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of ... the business.
AB 25 currently is pending in committee, but if enacted, would remove HR data from the act’s purview.
If the legislative process does not produce relief, a regulatory clarification could do so. The California Department of Justice currently is scheduled to issue draft regulations this coming fall. In connection with the DOJ’s rulemaking process, several organizations submitted comments calling for a regulatory clarification of the CCPA to exclude HR data.
Implications for employers if the CCPA covers HR data
At its core, the CCPA is intended to provide California consumers with more control over their personal information by creating new rights. These rights include the following: the right to notice/information about business’ handling of personal information, the right to access personal information, the right to delete personal information, and the right to opt out of the sale of personal information. As a secondary measure, albeit creating greater exposure for employers, the CCPA facilitates the prosecution of class-action lawsuits against businesses that suffer an information security breach. After explaining the application of the new rights in the employment context, we will address below the class-action exposure and other enforcement risks for employers.
Right of notice in the employment context
Several provisions of the CCPA, taken together, require businesses to provide consumers with detailed information about the handling of their personal information. This information must be provided in the business’ online privacy policy and, upon request, directly to the consumer as relevant to that consumer. More specifically, within 45 days of receiving a verifiable request, the business must provide the following information:
- What: The specific pieces of personal information collected about the consumer.
- From whom: The categories of sources from whom the personal information was collected.
- Why: The business purposes for collecting the consumer’s personal information.
- To whom: The third parties to whom the personal information has been disclosed.
- Sold: The categories of personal information, if any, sold during the preceding 12 months and the categories of third-party recipients.
- Disclosed for a business purpose: The categories of personal information disclosed for a business purpose during the preceding 12 months.
Collecting this information concerning HR data stored in structured databases, such as the employer’s human resources information system, should be manageable. By contrast, gathering this information in relation to other storage locations, such as email inboxes, local hard drives and paper files, could be a bottomless pit for internal resources. Consequently, employers will be required to balance the appropriate level of compliance against the resources necessary to achieve that level of compliance.
Right of access in the employment context
Providing employees with the right of access could be particularly onerous for employers. This right requires businesses to deliver within 45 days of receiving a verifiable request, the “specific pieces of personal information the business has collected” about the consumer during the 12 months preceding the request. To begin with, the definition of “personal information” includes “[p]rofessional or employment-related information.” This category effectively would include virtually everything in an employee’s personnel file.
Putting aside run-of-the-mill employment records, “personal information” includes other categories of information, ancillary to the employment relationship, that could be extremely burdensome to collect and deliver to employees. For example, “personal information” includes “internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application or advertisement.” Any employer that engages in routine monitoring of its information systems would be challenged to collect all of this information for a 12-month period. As another example, “personal information” includes “[g]eolocation data,” which arguably could include information collected by employers through GPS units in employer-owned vehicles, as well as location information collected through applications downloaded by employees to their employer-issued mobile devices. Collecting this information for the production of an employee could be technically complicated for employers.
Given the breadth of the right of access, employers should note the CCPA’s provision that compliance with the act “shall not adversely affect the rights and freedoms of other consumers.” This provision is especially important in the employment context because it provides employers with the right to refuse to disclose materials that could be damaging to the coworkers of an employee making an access request, such as the identity of a whistleblower.
Right to deletion in the employment context
Because “personal information” includes all “professional or employment-related information,” employees, at first blush, could exercise the right of deletion as a sword — for example, by demanding the deletion of a negative performance appraisal. Critically for employers, the CCPA contains several exceptions to the deletion right. The right of deletion does not apply when retention of the consumer’s personal information is necessary to comply with a legal obligation or for internal purposes that would be consistent with the consumer’s expectations. In addition, the CCPA does not apply where compliance would “restrict a business’s ability to ... [e]xercise and defend legal claims.” These exceptions, when taken together, should permit an employer to reject requests to delete most HR data during the course of the employment relationship and thereafter for the length of relevant statutes of limitation.
Right to opt out of the sale of personal information
Businesses typically do not sell their employees’ personal information. However, the CCPA broadly defines “sale” to include “disclosing ... a consumer’s personal information ... to another business ... for ... valuable consideration.” This definition arguably provides employees the right to opt out of their employers sharing their personal information with service providers that perform HR support functions, such as payroll administration.
Fortunately, the CCPA provides that a business’ disclosure of personal information is not a “sale” if: the service provider agrees, by contract, not to retain, use or disclose the personal information other than to perform the services specified in the service agreement; and the business discloses in its online privacy policy that it shares consumers’ personal information with service providers. Consequently, reviewing existing HR service agreements and amending them, if necessary, will be an important part of any employer’s CCPA compliance program.
Class-action risk for employers
The CCPA does not create class-action risk in relation to the new rights the act confers on California consumers. In fact, the CCPA authorizes only the California attorney general to enforce the CCPA for the recovery of a civil penalty of no more than $2,500 per violation or $7,500 per violation for intentional violations.
The class-action risk could arise from an employer’s lapses in information security. The CCPA effectively provides that consumers can recover, on a class-wide basis, statutory damages of $100 to $750 per consumer if a failure to implement adequate information safeguards results in a security breach. Because the compromise of information commonly maintained by employers — such as Social Security numbers, driver’s license numbers, medical information and health insurance information — generally will trigger a legal obligation to notify affected employers, the CCPA exposes employers to significant class-action risk.
What should employers do now?
The legislative and regulatory uncertainty surrounding the CCPA requires employers to engage in a complex balancing act. On the one hand, a “full-steam-ahead” approach toward compliance would result in wasted time and effort if HR data ultimately were excluded from the CCPA’s scope by legislation or regulation. On the other hand, waiting too long to start compliance efforts could leave employers scrambling if legislative or regulatory relief does not arrive.
To develop their overall strategy, employers should identify the minimum amount of time they anticipate needing to be in a position to respond to requests by employees to exercise their CCPA rights. Before that time arrives, employers can monitor the progress of AB 25 and the rulemaking process while taking low-cost steps toward compliance that would not involve significant wasted resources if an exclusion for HR data were put in place. The steps could include, for example: building the team responsible for implementing CCPA as applied to HR data, reviewing existing security measures for HR data and identifying potential improvements, identifying structured databases that store HR data of California residents, compiling the information needed to respond to information requests, and identifying service providers that maintain HR data on California residents.
Once the organization determines that it must proceed with implementing a CCPA compliance program for HR data — either because no statutory or regulatory exclusion is forthcoming or because the organization cannot tolerate the risk of waiting any longer — it should consider taking the following steps:
- Establish an intake mechanism: Establish a mechanism for former employees to submit requests to exercise their rights.
- Develop policies and procedures: Develop policies and procures to verify the identity of requestors, respond to verifiable requests, and document the response.
- Update online privacy policy: Ensure that the organization’s online privacy policy provides information about how the organization handles the personal information of its prospective, current and former California employees.
- Address information security for HR data: Given the heightened class-action risk arising from an information security breach, review current information security practices and procedures for HR data and address any gaps.
- Amend service agreements: Identify service providers that receive California applicants’ and employees’ personal information and amend service agreements as necessary to address the CCPA.
- Training: Train employees responsible for responding to requests to exercise CCPA rights with respect to HR data and provide initial or additional training to employees on information security to reduce the risk of a security breach.
Photo by Shridhar Gupta on Unsplash