The California Consumer Privacy Act (the “CCPA”) imposes new obligations upon certain businesses regarding their collection, use, storage, and disclosure of consumers’ personal information. Beginning on January 1, 2021 the definition of “consumers” will include employees and applicants, dramatically expanding privacy rights when it comes to data collection. This will place new requirements on employers to provide privacy notices and to comply with the CCPA or else face substantial penalties.
What is the CCPA?
The CCPA of 2018 provides robust protections to consumers. The CCPA went into effect on January 1, 2020, and enforcement commenced July 1, 2020. The CCPA also applies to employees and applicants.
Starting January 1, 2020 employees and job applicants have a right to receive a limited CCPA-specific privacy notice and have a private right of action under the CCPA in the event of a data breach that is due to their employer’s failure to implement reasonable security measures.
Beginning January 1, 2021, following the expiration of AB25 which temporarily exempted employers from most requirements of the CCPA, the distinction between employee and consumer will be eliminated. Employees will have the same data access rights granted to consumers under the CCPA. Note that “employees and job applicants” also includes individual contractors, consultants, agents, owners, officers, and directors.
Who Is Covered by the CCPA?
Businesses that will be subject to the CCPA are those for-profit businesses that
- do business in California
- collect the personal information of consumers including employees, and
- satisfy any of the following three criteria:
- have annual gross revenues over $25 million; or
- annually receive, sell, or share personal information about more than 50,000 California residents, households or devices; or
- derive 50% or more of their annual revenue from selling personal information of consumers.
What Are the Notice Requirements for Employers under the CCPA Starting January 1, 2020?
Employers must provide written notice to all employees and job applicants of their rights under the CCPA. This notice must describe the categories of personal information collected, the purposes for which the personal information is used, and any third parties with whom the personal information is shared.
What Are the Notice Requirements for Employers under the CCPA Starting January 1, 2021?
In addition to the 2020 requirements, this notice will have to explain consumer rights and privacy policies including the right of access, deletion, and receiving a copy of the information. Employers will have to implement at least two methods by which employees and job applicants can submit verifiable “consumer requests” to receive a copy of all their “personal information” from the last 12 months. These rights are subject to certain exceptions.
What Are the Potential Consequences of Non-Compliance with the CCPA with Respect to Employees and Job Applicants?
The California Attorney General may levy fines up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation. Examples of violations could include a business’s failure to respond to consumer requests to view or delete personal information, or its unauthorized sale of their personal information (or sharing of that data).
Additionally, the CCPA provides a private right of action (with the potential for class actions) for employees if their personal information is subject to unauthorized access or disclosure. The private right of action provides for statutory damages ranging from $100–$750 per consumer per incident.
Call Hill Farrer for Further Questions
Please contact your Hill Farrer attorney or any member of our Labor and Employment department for additional information about this complicated new law. We can provide appropriate policies and notices to comply with the CCPA.