Los Angeles, Calif. (October 22, 2019) - In the final days of the legislative session, the California Assembly passed and Governor Newsom signed into law a number of amendments to the California Consumer Privacy Act (CCPA), two of which will impact California employers and provide at least a slight reprieve from compliance with some of the more onerous aspects of the CCPA.

The CCPA applies to all for-profit businesses that do business in California and collect the personal information of consumers, and either have annual gross revenues over $25 million; receive, sell, or share personal information about 50,000 or more California residents or households, or obtain at least 50% of their annual revenue from selling personal information of consumers.

Significantly for employers, employees are included in the definition of consumers under the CCPA, and therefore all companies in California that have over $25 million in annual revenues or “receive” information about 50,000 or more California residents, including job applicants and employees, are covered by the CCPA. Moreover, in determining whether an employer receives information from 50,000 or more California residents, not only are employees counted, but so are job applicants and any dependents whose information may be collected for benefit purposes or on emergency contact forms or employee applications.

The CCPA broadly protects the collection and disclosure of personal consumer information. The personal information that is protected by the CCPA is vaguely and broadly defined so that it can be interpreted to include all identifying information about a job applicant, employee, or employee’s family member. Not only does personal information include obvious categories such as contact information, employment and education history, and EEO information, it can also include internet or social media history collected on company networks and equipment. Presumably all information contained in personnel files and payroll records would fall within the broad definition of personal information that is protected by the CCPA.

The CCPA requires, by January 1, 2020, that all covered businesses have implemented reasonable security measures, both physical and electronic, to safeguard the personal information of employees and job applicants. If a data breach occurs and it is found to have been due to a failure to implement required security measures, individual employees can bring suit for penalties or damages.

Also by January 1, 2020, all covered businesses will be required to disclose to all job applicants and employees, either prior to receipt of the personal information or at the time the personal information is received, of the categories of personal information that the employer is gathering and for what purposes the information will be used. Notably, for now the law only requires disclosure of “categories” of personal information and not a detailed description of every individual piece of personal information. Also starting January 1, 2020, covered employers will be prohibited from using any employee personal information for any purpose that is not listed in the disclosure provided to employees.

Assembly Bill 25 and Assembly Bill 1355, both signed into law by the governor, delay implementation of certain aspects of the CCPA for one year. Specifically, AB 1355 amends the CCPA to:

  1. Clarify that personal information does not include information that has been “deidentified,” meaning that all identifiers that would tie information to an individual have been removed.
  2. Clarify that personal information does not include “aggregate consumer information,” which is defined as “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.”
  3. Delay until January 1, 2021 the application of certain CCPA obligations to “business-to-business” communications or transactions between a business and a consumer, where the communication occurs solely within the context of the business conducting due diligence or providing or receiving a product or service from that business.

AB 25 delays until January 1, 2021 the requirements of the CCPA other than the data protection procedure implementation and disclosure provisions discussed above. However, beginning January 1, 2021, in addition to the foregoing, employers will have to expand the disclosure provided to employees and job applicants by also providing them with a notice of their rights under the CCPA, informing them whether personal information is being shared with any third parties, and identifying the categories of third parties with whom the employer may share the information.

Also beginning on January 1, 2021 employees and job applicants will be permitted to request a full disclosure of what personal information employers have collected and shared, request deletion of information, and request a free copy of the personal information the employer has.

Although these amendments offer a slight reprieve for California employers, there are still several obligations that will lock in as of January 1, 2020, including the requirement for implementation of data protection policies and plans. Businesses should therefore make sure that they have robust data protection measures in place as soon as possible. Employers also need to make sure that they have the complete and proper disclosure notices in place and ready to provide to employees on January 1, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.