Employers’ Obligations Under the California Consumer Privacy Act

Jamie R. Rich and Sarah E. Barrows
Greenberg Traurig, LLP

Jan. 1, 2020, marks the effective date of the recently enacted California Consumer Privacy Act (CCPA), a new law that requires companies to comply with numerous requirements related to collecting and processing personal information of California consumers, employees, and other individuals. Under the CCPA, the definition of “consumer” can easily include California employees who are residents.

Which Employers Must Comply with CCPA?

With some exceptions, employers must comply with CCPA if they receive personal information from California residents (including employees) and if their business – or its subsidiary or parent company – meets at least one of the following criteria:

• Has annual gross revenues of $25 million;
• Buys, receives, sells, or shares the personal information of 50,000 or more California consumers, households, or devices annually for commercial purposes (whether alone or in combination with others); or
• Derives 50 percent or more of its annual revenues from selling California residents’ personal information.

Calculating Annual Revenues in Excess of $25 Million. It remains unclear whether annual revenue figures are derived from global revenues or only California revenues – the CCPA does not specify. However, this ambiguity may be addressed by amendments expected in 2019 when the California State Legislature reconvenes after the new year.

Determining if a Business Obtains or Sells the Personal Information of 50,000 California Consumers. The CCPA defines personal information as “any information that . . . relates to . . . a particular consumer or household” and specifically includes professional or employment-related information. Under the CCPA, employees’ performance reviews, compensation information, and many if not all HR records are likely to constitute “personal information,” and non-employee California consumers (as defined under CCPA) will also likely count towards the 50,000 tipping point that mandates compliance.

Calculating 50 Percent of “Sales” of California Consumers’ Personal Information. The CCPA also broadly defines “selling” or “sales” as obtaining monetary or other valuable consideration for “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party[.]” Valuable consideration could include promotions or other marketing activities undertaken in exchange for disclosure of a consumer’s personal information.

What Actions Must Employers Take?

If an employer is subject to the CCPA, its employees (and other consumers) will have numerous rights under the CCPA that will likely require employers to deploy internal and external processes and data handling practices, including, but not limited to, updating employee privacy policies or notices, creating or revising data maps and/or data inventories, revising contracts with service providers, and making designated methods available for employees (and other consumers) who submit data access requests.

What Are Employees’ Rights Under the CCPA?

Under the CCPA, employees are consumers, and their rights include the following:

• Notice, Disclosure & Non-Waiver. Employees must be informed about the categories of personal information collected and the purpose of the collection at or before the collection.
  • No additional categories of information can be collected without prior notice.
  • Employees must be informed if their personal information is being sold or disclosed to third parties such as payroll vendors, benefit providers, and others, for “business purposes.”
  • Employers need to ensure their agreements with service providers expressly prohibit any sale or unauthorized use of employee information.
  • Employers must give specific notice to Employees of their CCPA rights – including toll-free numbers for submitting requests and clear and conspicuous links titled “Do Not Sell My Personal Information.”
  • Employees cannot be asked to contractually waive any rights provided by the CCPA.
• Data Access. Employees may request that employers disclose the categories of personal information collected about them and the specific personal information collected. Employers must provide the information free of charge within 45 days once the request is verified (with a limit of no more than two requests per 12-month period).
• Deletion. Employees can request that their personal information be deleted. Employers are permitted to retain the information necessary for performance of the employment contract; or the information required only for internal purposes related to security, First Amendment rights, and other purposes detailed in Cal. Civ. Code § 1798.105(d) et seq.
• Opt-Out. Employees have the right to opt out of the “sale” of their personal information – here, “sale” falls under the CCPA’s broad definition. Covered employers should be aware of this broad definition when engaging third-party service providers or entering corporate deals that will involve the transfer of personal information.
• No Discrimination. An employer cannot retaliate or discriminate against employees who exercise their rights under CCPA.

What Potential Liability Could Employers Face for Failing to Comply with CCPA?

California employees may institute a civil action under CCPA, even if there is no harm, if a business violates its duty to implement and maintain reasonable security procedures, and if certain types of non-encrypted or non-redacted personal information is subject to unauthorized access or disclosure as result.

• Only personal information relating to driver’s license numbers, social security numbers, and medical and financial information is actionable “personal information.”
• If there are no actual damages, the employee must provide the business 30 days’ written notice of the alleged CCPA violation to allow the business to cure the defect. If the business does cure within the 30-day window, no damages for individual or class-wide actions may be initiated.
• Within 30 days of filing any action, the employee must notify the California Attorney General’s office to give it an opportunity to prosecute rather than allowing the civil action to proceed.

Statutory damages in independent civil actions or class actions involving data theft or other data security breaches range between $100 to $750 per California employee per incident, or actual damages, whichever is greater. The California AG may choose to bring a civil action for CCPA violations. Intentional violations are subject to penalties of up to $7,500 per violation. Unintentional violations that are not cured within 30 days of notice are liable for up to $2,500 per violation.

The California State Legislature is expected to consider changes to the law when it reconvenes in January 2019.