Seyfarth Synopsis: California's Attorney General is drafting regulations that will shape employer obligations under the California Consumer Privacy Act.

The California Consumer Privacy Act ("CCPA") has engendered much confusion. The original enactment defined "consumer" to include employees, thereby imposing sweeping, onerous burdens on employers. Fortunately, the CCPA was amended so that employees, business owners, officers, medical staff, and independent contractors are not "consumers." Nonetheless, the CCPA still requires employers to provide employees with privacy policies.

The CCPA goes into effect on January 1, 2020, and the enforcement deadline is the sooner of July 1, 2020, or six months from when California's Attorney General issues final regulations. The Attorney General is still in the process of drafting final regulations.

Privacy Notices Required

The issue of employee coverage under the CCPA has been a fractious one. In an attempt to reach a compromise between business interests and privacy rights, the California Legislature passed a series of bills, the most important being AB 25, which largely exempt employees from the CCPA while still requiring employers to provide employees with privacy policies.

Currently, the CCPA does not clearly state what must be included in a privacy policy, and it is generally unhelpful on how to draft or issue policies. The AG's draft regulations (some issued in November) are the only official guidance on how to draft and implement CCPA-compliant employee privacy policies.

Some notion of what employee privacy policies must contain emerges from the draft regulations, the CCPA as it currently exists, and privacy policy drafting conventions:

  • a description of the categories of personal information to be collected, and
  • the purposes for which the disclosed categories of personal information will be used.

General Principles Regarding Drafting Employee Privacy Policies

The AG has drafted some important requirements for how to write a privacy policy, but the current regulations are not final and it is unclear if they will apply to employee privacy policies. (Adding to the confusion, the current draft does not distinguish between policies that must be provided to employees and those that must be provided to consumers.)

The draft regulation does contain instructive general principles, though. They help insulate an employer from claims that the privacy policy was "unfair" or "deceptive." To that end, employee privacy policies should be drafted as follows:

  • Use "plain, straightforward" language.
  • Use a format that draws the employee's attention to the policy.
  • Make the policy available in languages usually used to provide notices to employees.
  • Make the policy accessible to employees with disabilities.
  • Present the policy before collecting employees' personal information.

Employee Privacy Policy Drafting—Content

The current AG regulations largely mirror existing requirements. But we expect to see the requirements expanded, as that has been our experience with what other regulators have required. With that foreseen result in mind, we recommend additional disclosures relating to:

  • the technologies used to collect personal data,
  • what third parties (usually service providers) will have access to personal data, and
  • the purposes for which the third parties will use personal data.

Failure to include these kinds of disclosures in a policy may trigger an argument that the policy did not disclose information that a reasonable employee would want to know in order to make an informed decision. (This is the traditional test the FTC uses in starting its "deception" analysis under Section 5 of the FTC Act. Although the FTC Act doesn't apply here, the AG knows the FTC's approach and could well use the same logic in enforcing the CCPA.)

Limitations On Use Of Personal Information

Employers not only must provide privacy policies but also must not use personal information for a purpose not disclosed in the policy. Thus, an employer's privacy policy must actually cover all of the employer's different purposes for processing Personal Information.

Implications For Businesses That Process Personal Information

Along these lines, under AB 25, a business cannot process Personal Information for a purpose not disclosed in the privacy notice. Thus, businesses must carefully draft employee privacy notices with a sufficient level of breadth to cover all the ordinary, and extraordinary, purposes to which employee data will be put.

The Clock Is Ticking

AB 25's employee exception to being defined as a "consumer" has a time limit. If the Legislature does not act on the issue of employee privacy in the next session, then the carve-out will expire in 2021, and employees will once again be considered "consumers" under the CCPA.

Business to Business Exemption

Thanks to the passage of AB 1355, businesses need not provide privacy notices to the employees of their clients or their vendors, though businesses must provide notices to their own employees.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.