May 8, 2019

What Employers Should Know About California’s New Data Privacy Law

By Jennifer A. Jackson

Employers with operations in California should be aware of the California Consumer Privacy Act (CCPA), a new data privacy law that goes into effect January 1, 2020. Because the CCPA is framed in terms of protecting the rights of “consumers,” many employers may not realize that the act, as currently drafted, also regulates the handling of personal information about California-based employees. Employers subject to the CCPA should be addressing compliance obligations now, including analyzing the treatment of employee data and updating or introducing new data privacy and data security policies. Those who fail to comply may find themselves subject to civil penalties of $2,500 to $7,500 per violation, and/or defending class action lawsuits for statutory damages of $100 – $750 per employee per data breach incident.

Which Companies are Subject to the CCPA?

The CCPA applies to for-profit entities doing business in California that collect personal information about California residents, “determine the purposes and means of the processing” of that personal information, and

— have annual gross revenue greater than $25 million, OR

— buy, sell or share personal information of 50,000 consumers or devices, OR

— derive 50 percent of their annual revenue from sharing personal information.

Who is Protected by the CCPA?

While the CCPA is framed in terms of protecting “consumers,” the definition of “consumer” is broader than one might expect. “‘Consumer’ means a natural person who is a California resident …” Read literally, “consumer” includes not only an individual that consumes a product, such as a customer of a store, but also that store’s California-based employees, prospective customers and business contacts. As a practical matter, any California-based employee whose personal information is collected by a business subject to the CCPA is protected.

What Information is Covered by the CCPA?

“Personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The CCPA provides an extensive (but not exhaustive!) list of data types that may fall under the broad definition of “personal information.”

The following are examples of data governed by the CCPA that employers are most likely to collect about their employees:

1.   Real name

2.   Postal address

3.   Email address

4.   Social Security Number

5.   Driver’s license number

6.   Passport number

7.   Signature

8.   Physical characteristics or description

9.   Telephone number

10.  State identification card number

11.  Insurance policy number

12.  Education

13.  Educational information (as defined by 34 C.F.R. Part 99)

14.  Employment

15.  Employment history

16.  Bank account number

17.  Credit card number

18.  Characteristics of protected classification under California law

19.  Characteristics of protected classification under federal law

20.  Biometric information

21.  Internet or other electronic network activity

22.  Browsing history

23.  Search history

24.  Audio information

25.  Electronic information

26.  Visual information

27.  Profiles of an employee’s behavior

28.  Profiles of an employee’s attitudes

29.  Profiles of an employee’s intelligence

30.  Profiles of an employee’s abilities

31.  Profiles of an employee’s aptitudes

What are the Requirements of the CCPA?

The CCPA’s requirements can be grouped into three buckets – those relating to individual privacy rights; those relating to data security; and those relating to service providers. The following provides a high-level summary of the main issues.

Protecting Individual Privacy Rights

–   Notices to data subjects. A business must provide those employees about whom it has collected personal information notice about the business’s privacy practices. This privacy notice should typically be given at or before the time of collection of the information.

–   Right to access data. A business must respond to an employee’s verified request that the business confirm whether it has personal information about him or her, the type of personal information that the business keeps about the individual, and/or a copy of the specific information that the business has on file.

–   Right to be forgotten. A business must, in certain circumstances, delete the personal information it holds about employees. The right to be forgotten, also known as the right to deletion, has several exceptions, such as when the information is necessary to detect security incidents; to protect against deceptive, fraudulent or illegal activity; to enable solely internal uses that are reasonably aligned with the expectations of the employee; to comply with a legal obligation; or to otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided.

–   Right to opt out of sale of information. A business must follow an employee’s direction not to sell the personal information that it holds about him or her. In the consumer context, this can be accomplished by including a “Do Not Sell My Personal Information” link on a website. In the employment context, many businesses are surprised to learn that allowing a service provider (for example, a life insurance company) to market additional products to employees may be interpreted as a “sale” of their personal information.

Maintaining Appropriate Data Security

The CCPA requires that businesses put into place “reasonable security procedures and practices” to help protect personal information from being breached. The CCPA does not define “reasonable security procedures and practices.” One possible source of guidance on this subject is the California Attorney General’s 2016 California Data Breach Report, a study of the data breaches reported to the AG from 2012 to 2015 (https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf). Though now several years old, the report offers insights into how the attorney general may seek to enforce the CCPA, and what factors a trier of fact may consider in deciding the “reasonableness” of a business’s data security procedures. Most significant is the attorney general’s endorsement of the Center for Internet Security’s Critical Security Controls, a set of 20 cybersecurity defensive measures (https://www.cisecurity.org/controls/).

Dealing With Service Providers

The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA.

What are the Risks of Noncompliance with the CCPA?

Where personal information is breached as a result of a business’s failure to maintain reasonable security procedures and practices, an affected employee may sue for damages of $100-$750 per employee per incident or actual damages, whichever is greater. The statutory damages provision will likely incentivize plaintiffs’ lawyers to pursue large class actions every time a security breach exposes the personal information of California residents.

Where a business is in violation of any provision of the CCPA—including the privacy provisions as well as the data security obligation—for more than 30 days after notice of noncompliance, the attorney general may bring an action for civil penalties of up to $2,500 per violation or $7,500 per intentional violation.

What Actions Should Your Business Take Now?

Data Privacy

–   Review and update privacy notices to verify they meet the CCPA’s requirements

–   Review and update the methods for submitting requests to your business for access to, deletion of, or to opt-out of the sale of personal information, to verify they comply with the CCPA

–   Review and update policies or procedures for authenticating individuals that make access, deletion or opt-out requests

–   Draft a “play book” that provides standard communications that can be sent to individuals that make access, deletion or opt-out requests

–   Train employees on the handling of access, deletion or opt-out requests

–   Verify that the policies and procedures in place facilitate the timely fulfillment of access, deletion or opt-out requests

Data Security

–   Memorialize security policies and procedures in a written information security plan or “WISP”

–   Review whether your WISP conforms to a known industry standard or framework, and add any missing policies or procedures

–   Conduct periodic risk assessments to identify the primary risks to information

–   Train employees on your security policies and procedures

Service Provider Agreements

–   Review existing agreements with service providers, including payroll vendors and employee benefit plan providers, and review potential gaps

–   Make sure all service providers with access to information about Californians have agreements in place

–   Update all agreements to ensure they meet CCPA requirements

(Jennifer Jackson is the co-leader of Bryan Cave Leighton Paisner’s Commercial Dispute Resolution Practice Group. She also co-leads the firm’s Agribusiness and Food Litigation Team. Her practice includes class action defense, commercial litigation, and product liability defense. She can be reached at (310) 576-2360 or [email protected])