By Jennifer A. Jackson
Employers with operations in California should be aware of the California Consumer Privacy Act (CCPA), a new data privacy law that goes into effect January 1, 2020. Because the CCPA is framed in terms of protecting the rights of “consumers,” many employers may not realize that the act, as currently drafted, also regulates the handling of personal information about California-based employees. Employers subject to the CCPA should be addressing compliance obligations now, including analyzing the treatment of employee data and updating or introducing new data privacy and data security policies. Those who fail to comply may find themselves subject to civil penalties of $2,500 to $7,500 per violation, and/or defending class action lawsuits for statutory damages of $100 – $750 per employee per data breach incident.
Which Companies are Subject to the CCPA?
The CCPA applies to for-profit entities doing business in California that collect personal information about California residents, “determine the purposes and means of the processing” of that personal information, and
— have annual gross revenue greater than $25 million, OR
— buy, sell or share personal information of 50,000 consumers or devices, OR
— derive 50 percent of their annual revenue from sharing personal information.
Who is Protected by the CCPA?
While the CCPA is framed in terms of protecting “consumers,” the definition of “consumer” is broader than one might expect. “‘Consumer’ means a natural person who is a California resident …” Read literally, “consumer” includes not only an individual that consumes a product, such as a customer of a store, but also that store’s California-based employees, prospective customers and business contacts. As a practical matter, any California-based employee whose personal information is collected by a business subject to the CCPA is protected.
What Information is Covered by the CCPA?
“Personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA provides an extensive (but not exhaustive!) list of data types that may fall under the broad definition of “personal information.”
The following are examples of data governed by the CCPA that employers are most likely to collect about their employees:
1. Real name
2. Postal address
3. Email address
4. Social Security Number
5. Driver’s license number
6. Passport number
7. Signature
8. Physical characteristics or description
9. Telephone number
10. State identification card number
11. Insurance policy number
12. Education
13. Educational information (as defined by 34 C.F.R. Part 99)
14. Employment
15. Employment history
16. Bank account number
17. Credit card number
18. Characteristics of protected classification under California law
19. Characteristics of protected classification under federal law
20. Biometric information
21. Internet or other electronic network activity
22. Browsing history
23. Search history
24. Audio information
25. Electronic information
26. Visual information
27. Profiles of an employee’s behavior
28. Profiles of an employee’s attitudes
29. Profiles of an employee’s intelligence
30. Profiles of an employee’s abilities
31. Profiles of an employee’s aptitudes
What are the Requirements of the CCPA?
The CCPA’s requirements can be grouped into three buckets – those relating to individual privacy rights; those relating to data security; and those relating to service providers. The following provides a high-level summary of the main issues.
Protecting Individual Privacy Rights
– Notices to data subjects. A business must provide those employees about whom it has collected personal information notice about the business’s privacy practices. This privacy notice should typically be given at or before the time of collection of the information.
– Right to access data. A business must respond to an employee’s verified request that the business confirm whether it has personal information about him or her, the type of personal information that the business keeps about the individual, and/or a copy of the specific information that the business has on file.
– Right to be forgotten. A business must, in certain circumstances, delete the personal information it holds about employees. The right to be forgotten, also known as the right to deletion, has several exceptions, such as when the information is necessary to detect security incidents; to protect against deceptive, fraudulent or illegal activity; to enable solely internal uses that are reasonably aligned with the expectations of the employee; to comply with a legal obligation; or to otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided.
– Right to opt out of sale of information. A business must follow an employee’s direction not to sell the personal information that it holds about him or her. In the consumer context, this can be accomplished by including a “Do Not Sell My Personal Information” link on a website. In the employment context, many businesses are surprised to learn that allowing a service provider (for example, a life insurance company) to market additional products to employees may be interpreted as a “sale” of their personal information.
Maintaining Appropriate Data Security
The CCPA requires that businesses put into place “reasonable security procedures and practices” to help protect personal information from being breached. The CCPA does not define “reasonable security procedures and practices.” One possible source of guidance on this subject is the California Attorney General’s 2016 California Data Breach Report, a study of the data breaches reported to the AG from 2012 to 2015 (https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf). Though now several years old, the report offers insights into how the attorney general may seek to enforce the CCPA, and what factors a trier of fact may consider in deciding the “reasonableness” of a business’s data security procedures. Most significant is the attorney general’s endorsement of the Center for Internet Security’s Critical Security Controls, a set of 20 cybersecurity defensive measures (https://www.cisecurity.org/controls/).
Dealing With Service Providers
The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA.
What are the Risks of Noncompliance with the CCPA?
Where personal information is breached as a result of a business’s failure to maintain reasonable security procedures and practices, an affected employee may sue for damages of $100-$750 per employee per incident or actual damages, whichever is greater. The statutory damages provision will likely incentivize plaintiffs’ lawyers to pursue large class actions every time a security breach exposes the personal information of California residents.
Where a business is in violation of any provision of the CCPA—including the privacy provisions as well as the data security obligation—for more than 30 days after notice of noncompliance, the attorney general may bring an action for civil penalties of up to $2,500 per violation or $7,500 per intentional violation.
What Actions Should Your Business Take Now?
Data Privacy
– Review and update privacy notices to verify they meet the CCPA’s requirements
– Review and update the methods for submitting requests to your business for access to, deletion of, or to opt-out of the sale of personal information, to verify they comply with the CCPA
– Review and update policies or procedures for authenticating individuals that make access, deletion or opt-out requests
– Draft a “play book” that provides standard communications that can be sent to individuals that make access, deletion or opt-out requests
– Train employees on the handling of access, deletion or opt-out requests
– Verify that the policies and procedures in place facilitate the timely fulfillment of access, deletion or opt-out requests
Data Security
– Memorialize security policies and procedures in a written information security plan or “WISP”
– Review whether your WISP conforms to a known industry standard or framework, and add any missing policies or procedures
– Conduct periodic risk assessments to identify the primary risks to information
– Train employees on your security policies and procedures
Service Provider Agreements
– Review existing agreements with service providers, including payroll vendors and employee benefit plan providers, and review potential gaps
– Make sure all service providers with access to information about Californians have agreements in place
– Update all agreements to ensure they meet CCPA requirements
(Jennifer Jackson is the co-leader of Bryan Cave Leighton Paisner’s Commercial Dispute Resolution Practice Group. She also co-leads the firm’s Agribusiness and Food Litigation Team. Her practice includes class action defense, commercial litigation, and product liability defense. She can be reached at (310) 576-2360 or [email protected])