California Consumer Privacy Act (“CCPA”)
As a part of the California Consumer Privacy Act (“CCPA”), which takes effect January 1, 2020, employers will be faced with new notice requirements. Businesses are subject to the CCPA if they have gross annual revenues in excess of $25 million; buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; derives 50 percent or more of annual revenues from selling consumers’ personal information.
On or before the January 1, 2020 date, any business or organization subject to the CCPA that employs California residents, hires California residents as independent contractors (which comes with its own set of problems after the recent passing of AB5), or receives job applications from California residents will be required to provide those applicants, employees and independent contractors with a notice “at or before the point of collection” that details the following two items:
- The categories of information that the business will collect about them; and
- The purposes for which the personal information will be used.
How is “Personal Information” Defined?
Under the CCPA, “personal information” is broadly defined and includes information such as Social Security numbers, bank account numbers, education, employment history, characteristics of a protected class under California or federal law (e.g. race, sex, religion, gender, disability, age, etc.), biometric information, medical and health insurance information, and even certain metadata information such as a device IP address. With respect to applicants, employees and independent contractors, this personal information is most often used in the pre-screening, interviewing, onboarding processes, as well as during the course of the business or employment relationship to administer payroll and payments, other benefits including health insurance and retirement plans, and for preparing other legally required records such as the I-9 and EEO-1 forms. California businesses should begin drafting and finalizing legally compliant notices that will accompany any document or form that requests personal information. The notice should also be posted where other general employment related notices are posted. Specifically, business documents that should include a notice include but may not be limited to the following:
- employee handbooks;
- offer letters;
- other new hire forms or paperwork;
- employment agreements; and
- online job application forms and portals.
The CCPA does not merely include personal information related to one individual but extends the definition of “personal information” to households. This would include medical and health insurance information about an employee’s beneficiaries or dependents. Businesses should consider this requirement when assessing their notice obligations as there has been no specific guidance from the legislature or regulators on this aspect of the notice requirements.
How Can Businesses Secure Personal Information?
While many of the employment-related requirements in the original version of the CCPA were suspended until January 1, 2021, the notice requirement and the private right of action in the event of a data breach are still in effect. Businesses should proactively and properly secure employee, applicant, and independent contractor-related personal information to mitigate the risk of liability. Notices that meets the requirements of the CCPA should be drafted and distributed at or before all points where personal information is collected from any employee, job applicant or independent contractor. Businesses should also understand, assess and begin to implement the necessary steps for full compliance with the CCPA as of January 1, 2021.
The attorneys at Carmel & Naccasha have extensive experience advising employers on matters involving employee notice and privacy rights.
Contact Legal Professional
The information provided herein does not, and is not intended to, constitute legal advice; instead all information, content, and materials are for general informational purposes only.
Please contact Ryan C. Andrews if you have any questions or need assistance in ensuring your business is protected.