Question: I heard that California’s new privacy law applies to employers now.  What does this mean for my business?

Answer:  California’s new privacy law, the California Consumer Privacy Act (“CCPA”), is effective January 1, 2020.  Among other new protections, the law gives “consumers” the right to require that covered businesses delete their data, say no to the sale of their personal information, be free from discrimination, and seek legal action against businesses that violate these rights.  Since the CCPA’s passage in June 2018, it was unclear whether “consumers” include employees.  On October 11, 2019, Governor Newsom signed an amendment (AB 25) clarifying that employees are protected under the CCPA as “consumers” and giving covered employers an additional year to comply with most of the CCPA’s requirements.

The first question businesses should ask is whether the CCPA applies to them.  With some limited exceptions, employers must comply with the CCPA if they satisfy at least one of the following three criteria: (1) have annual gross revenues in excess of $25 million; (2) derive at least half of their annual revenues from selling consumers’ personal information; or (3) handle, buy, share, or sell personal information belonging to at least 50,000 California residents annually.   Although the law covers large employers, even some small businesses might find themselves covered by the CCPA if they collect information about who is using their websites.  For example, a small business that has a website with an average of 137 unique visits per day and collects data about the devices or consumers who are accessing the site will  likely be “handling” or “sharing” the personal information of 50,000 California residents annually, and therefore be covered by the CCPA.

AB 25 gives covered employers until January 1, 2021 to comply with all the CCPA’s requirements pertaining to employee data except for two requirements that employers must comply with now.

First, covered employers must ensure they have implemented reasonable physical and electronic security measures to safeguard the personal information of employees and job applicants.  If a data breach occurs due to a failure to implement reasonable security measures, an affected employee or applicant can file an individual lawsuit or a class action and potentially recover up to $750 per consumer per data breach incident or their actual damages, whichever is greater.

Second, covered employers must inform all employees and job applicants of the categories of personal information the business collects about them and the business reasons for which the information will be used.  This disclosure need only list the “categories” of information collected.  For example, a business could list “Education Information” as a category, and the business reason could state “Evaluate an individual’s qualification and suitability for hire, salary level, and potential promotion to a new position in the company.”  This disclosure must be made before or at the time you receive personal information of any employee or job applicant.

Unless the California legislature makes additional changes to the CCPA soon, covered employers will have to comply with all the CCPA’s requirements by January 1, 2021.  Even though enforcement by the California attorney general does not begin until July 1, 2020, employers doing business in California should immediately determine whether the CCPA applies to them and if it does, determine what steps they should take to comply.