Employer CCPA FAQs #1: Does the CCPA apply to employee data?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols to close identified gaps. Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address their obligations under the California Consumer Privacy Act. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.

Question #1: Does the CCPA apply to employee data?

Yes.

The CCPA protects the data collected of “consumers”.  While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service, the definition ascribed by the CCPA is far broader.  The term is defined to include any “natural person who is a California resident.”   Read literally, the phrase includes not only individuals that consume a product (e.g., a customer of a store), but also that store’s California-based employees, and California-based business contacts or prospective customers.  The statute’s application to employee data is further confirmed by the fact that “personal information” is expressly defined to include “employment-related information.”

Employers with operations in California and with California-resident employees will need to review and prepare for the following to comply with the CCPA:

1. The CCPA’s expansive definition of “personal information”;
2. The CCPA’s new notice requirements for California-based employees, which notices describe the employer’s collection of and use and disclosure of personal information;
3. The CCPA’s new data privacy rights for California-based employees, including the right to access, delete, and opt out of the “sale” of personal information;
4. The CCPA’s special rules for the collection and use of personal information of minors;
5. The CCPA’s requirement to implement appropriate and reasonable security practices and procedures;
6. The CCPA’s enforcement provisions, including a statutory damages framework; and
7. The CCPA’s private right of action for employees.

Comparison of Terms used in other data privacy laws

The data privacy and security laws in the United States use different terms to describe the individuals about whose information the laws apply.  These include terms such as “covered person,”  “individual,” and “customer.”   The term used in a particular statute is less important than is its definition.  For example, two statutes may use the term “individual,” but one may define it as referring to all natural persons whereas another may define it as only referring to natural persons that are resident within the state.  As another example, one statute may use the term “covered person” while another uses the term “individual” and yet they define the terms in an identical manner.

In contrast to the diverse terminology utilized within United States statutes, the European GDPR, and many EU Member State statutes implementing the GDPR, consistently uses the term “data subject” which is defined broadly as any “identified or identifiable natural person” and has been expressly interpreted as including employees.

Looking past the different terms to the content being regulated will assist an employer in determining its compliance needs and adjusting its current notices, policies and procedures as necessary.