Long gone are the days when companies could claim ownership in their employees’ data, at least in California. As our prior posts have indicated, the definition of “consumer” under the CCPA is extremely broad and extends to employees. A consumer is not only a customer or user of a business’ services, products or websites, but also a business’ employees, contractors and job applicants.
However, despite taking effect in January 1, 2020, the CCPA’s application is currently limited with regard to personal information of employees, contractors, and job applicants collected and used in the employment context. This hold delays application of some provisions of the CCPA with respect to personal information collected in the employment context (originally until January 1, 2021 and now as extended to January 1, 2022 or 2023 as set forth below), including the rights to access data and deletion of data. As a reminder, the exemption also only applies to the extent that the employer collects/uses the personal information in the context of its employment relationship and for employment purposes. Thus, any use of such personal information by an employer outside the scope of the strict employment relationship would remain covered under all of the provisions of the CCPA. For example, if an employer were to allow its insurance company to collect employee data in order to market other insurance services to those individuals, this would not be within the scope of employment and therefore subject to all of the consumer rights otherwise available under CCPA.
Notwithstanding the exemption, employers that are subject to the CCPA must notify employees, contractors and job applicants of the categories of personal information that they collect for employment purposes and how they use it. The notice must be provided at the time of collection.
Such employee data also remains subject to the CCPA’s private right of action for certain data breaches resulting from the failure to implement reasonable security measures. Because employment-related data often includes the types of information that fall within the purview of the CCPA’s private right of action, employers should take note.
Complicating things, California Assembly Bill 1281 just passed and is awaiting signature by the Governor by September 30, 2020. AB 1281 extends the delay of these CCPA rights for employment data to January 1, 2022. However, the AB 1281 hold would only become effective if the California Privacy Rights Act (“CPRA”) – California’s latest privacy ballot initiative discussed in a prior post available here – is NOT approved by voters in the November 2020 general election. If the CPRA passes, as we expect that it may, the CCPA’s employment-related exemption would continue until January 1, 2023.
While current California labor law allows employees to access their personnel records, the CCPA effectively would broaden these rights to other data that is not considered a personnel record per se. Wise companies will start planning now how to implement these obligations. Care must be taken to balance the unequal power that employers hold over employees with the employees’ ability to easily exercise their rights. Employers will need to consider all locations where employee data is stored – in emails, system logs, written documents etc. – and manage to protect the privacy of other employee or individual data that may also be included in a document.