Since the writing of this blog, CCPA has been replaced by CPRA.
As the work-from-home model becomes the norm during the COVID-19 era, both employees and employers have made a number of adjustments. For employees, this may include homeschooling their children while trying to remain productive in a full-time job. Some employees may thrive in this sort of environment, while others may long for the days of the 45 minute commute they took for granted.
For employers, the work-from-home model has posed various challenges from a security standpoint. Employers may ask themselves if they have the cybersecurity infrastructure to protect their own network. Can the business adequately account for the security risks posed by the majority of employees using their own laptops and devices? How can the business ensure that sensitive information is not subject to unauthorized access and disclosures?
Apart from the potential security risks presented by the emerging work-from-home model, employers face significant risks from a compliance standpoint. The CCPA: California Consumer Privacy Act has an enforcement date of July 1st, 2020. Because of the significant amounts of employee data that employers collect, businesses have been naturally concerned about whether this information would qualify under the CCPA’s definition of personally identifiable information (“PII”) and subject to protection under the law.
This article will discuss the following three topics:
- How does the CCPA define employee-related information?
- Are employees protected under the CCPA?
- Complying with the CCPA.
Does the CCPA apply to employee information? Definition of “employee-related” information.
The CCPA regulations specify that “employee-related information” is defined in 1798.145(h)(1) of the CCPA. That section specifies three categories of information that qualify as “employee-related information” per the regulations:
- Personal information that is:
- Collected by a business about a natural person (a California resident);
- In the course of that natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business; and
- To the extent the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business; or
- Personal information that is:
- Collected by a business that is emergency contact information;
- Of a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business; and
- To the extent that the personal information is collected and used solely within the context of having an emergency contact on file; or
- Personal information that is:
- Necessary for the business to retain to administer benefits;
- For another natural person;
- Relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business; and
- To the extent that the personal information is collected and used solely within the context of administering those benefits.
In addition to information relating to job applicants and employees, “employee-related information” also includes information related to “owners,” “directors,” “officers,” “medical staff members,” and “contractors” of the business. These terms are defined as follows:
- “Contractor” means a natural person who provides a service to a business under a written contract;
- “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors
- “Medical staff member” is defined as a licensed (as defined by the Business and Professions Code) physician and surgeon, dentist, or podiatrist
- “Officer” is defined as a natural person who is elected or appointed by the board of directors to manage the daily operations of a corporation. These individuals include chief executive officers, presidents, secretaries, and treasurers.
- “Owner” means a natural person who falls under one of the following three categories:
- Has ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business;
- Has control in any manner over the election of a majority of the directors or of the individuals exercising similar functions; or
- Has the power to exercise a controlling influence over the management of the business.
Are employees protected under the CCPA?
Assembly Bill No. 25 (AB 25) was passed to clarify how the CCPA applies to employees. The bill specifies that until January 1st, 2021, information collected from a “natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of the business” is exempted from the requirements of the CCPA. For example, should an employee attempt to request the deletion of their PII collected during their time of employment, the CCPA would not require the business to fulfill the request.
However, AB 25 specifies that employers must still satisfy two CCPA requirements: 1) employers must still provide notice at or before the point of collecting employee-related information; and 2) the employer must implement “reasonable security procedures and practices” pursuant to protecting the information from unauthorized access, theft, or disclosure. Employers are still subject to private lawsuits for failing to comply with this requirement.
With respect to providing notice of the collection PII, the CCPA regulations require the notice to contain the following:
- A list of the categories of consumer PII to be collected;
- The business or commercial purpose for which the categories of PII will be used;
- Provided that the business engages in the “sale” of PII as defined by the CCPA, a link entitled “Do Not Sell My Personal Information” or “Do Not Sell My Info,” or in the case of offline notices, where the webpage may be found online; and
- A link to the Privacy Policy or, in the case of offline notices, where the Privacy Policy may be found online.
However, provided that the employer is engaged in the collection of employee-related information, the employer is not required to provide a “Do Not Sell My Personal Information” link nor a link to the employer’s Privacy Policy. As such, the regulations only require employers to furnish a list of categories of the information to be collected and the business or commercial purpose for which the categories of information will be used.
As mentioned, AB 25 still requires employers to properly safeguard protected information under the CCPA. This information includes:
- An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social security number;
- Driver’s license number or any unique state identification number
- Account number, or a credit or debit card number, in combination with the credentials needed to access the account
- Medical information
- Health information
- Biometric data
As such, employers could still be subject to lawsuits from individuals whose information is compromised in a security breach. These individuals may include applicants, employees, contractors, medical staff members, etc.
Preparing to comply with the CCPA
With the CCPA enforcement date here, businesses need to have a comprehensive understanding of any employee-related data that they handle. Although this data is largely exempted from the requirements of the CCPA, this exemption expired on January 1st, 2021.
Furthermore, the CCPA and enforcement regulations nevertheless require the employer to provide notice to applicants, current employees, contractors, and others when their information is being collected. This requirement may apply in a variety of situations, such as when applicants fill out job forms or when current employees surf the business’s website. In order to comply with the CCPA and other applicable privacy laws, businesses should consider using Termageddon’s Privacy Policy generator.