Question:  Someone told me that California has a new privacy law.  What does this mean for my business?

Answer: There is an increasing belief that we have lost control of our personal information. In 2018, California passed a sweeping consumer privacy law to combat recent privacy scandals, including the Cambridge Analytica incident involving Facebook user data.  The new law is complex and its language creates many ambiguities for regulators, businesses, and consumers.  Although lawmakers are still attempting to refine and clarify the law, its fast-approaching January 1, 2020, effective date makes it important to understand the law as it is currently written.

The new law—the California Consumer Privacy Act (“CCPA”)—affords California residents an array of new rights, starting with the right to be informed about what kinds of personal data companies have collected and why it was collected. Among other new protections, the law stipulates that consumers have the right to delete their data, say no to the sale of their personal information, be free from discrimination, and seek legal action against businesses that violate these rights.

At first blush, it appears the CCPA only protects the privacy of consumers.  However, the law’s broad definition of “consumer” includes employees as long as they are natural persons who are California residents because they are either domiciled in California for a temporary or transitory purpose or are in California for more than a temporary or transitory purpose.  While the application of the CCPA to employee data remains an open question, employers should be ready to face the law’s direct implications for employment-related data.

With some limited exceptions, employers must comply with the CCPA if they satisfy at least one of the following three criteria: (1) have annual gross revenues in excess of $25 million; (2) derive at least half of their annual revenues from selling consumers’ personal information; and (3) handle, buy, share, or sell personal information belonging to at least 50,000 California residents annually.  The law clearly reaches large employers, but even small businesses might find themselves covered by the CCPA if they have significant amounts of data.

For example, under the CCPA, employees’ performance reviews, compensation information, and most human resource records may constitute “personal information.” Non-employee California consumers (as defined under CCPA), including customers or clients, will also likely count towards the 50,000 threshold that mandates compliance.  In addition, because “personal information” as defined under the CCPA includes IP address and device identification numbers captured by operating an application or website, the 50,000 number could be relatively easily achieved by many employers.  If an employer finds itself subject to the CCPA, its employees and consumers will have numerous rights under the CCPA.

Still, it is not clear if the CCPA is intended to protect employment-related data, and there have been efforts to amend and clarify the legislation before it goes into effect on January 1, 2020.  One such amendment is Assembly Bill 25, which would specifically exclude employees and job applicants from the definition of “consumer” under the CCPA.  In addition, the Attorney General is working on regulations to implement the CCPA that may clarify the reach of the CCPA.

While the proposed amendment and expected regulations may alleviate some uncertainty, employers should consider proactively reviewing their privacy policies and practices and watching for updates on regulations that may make the CCPA applicable to employee data.