Employer CCPA FAQs #4: What information is not “Personal Information” under the CCPA?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols to close identified gaps. Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address their obligations under the California Consumer Privacy Act. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.

Question #4: What information is not “Personal Information” under the CCPA?

The CCPA excludes “publicly available information” from the types of “Personal Information” subject to the law, and it will also not apply to information that is excluded from the general application of the CCPA.

The CCPA defines “publicly available information” excluded from the law as “information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information.”[1] This definition does not appear to be complete, but likely requires that any conditions associated with such information be satisfied in order to be considered “publicly available.” The definition may be clarified during the CCPA rulemaking process.

Note, the following types of information will not qualify as being “publicly available”: biometric information collected by a business about a consumer without the consumer’s knowledge; information that is used for a purpose not compatible with the purpose for which it is maintained in government records or made publicly available; and de-identified or aggregated consumer information.[2]

The CCPA will also not apply to the following[3]:

1. Protected or health information collected by a covered entity governed by California’s Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the Health Insurance Portability and Availability Act of 1996 (“HIPAA”). For purposes of the exclusion, the definition of “medical information” in Section 56.05 of the Confidentiality of Medical Information Act and the definitions of “protected health information” and “covered entity” from the federal privacy rule will apply.
2. The sale of personal information to or from a consumer reporting agency if the information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
3. Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.
4. Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that law.

For employers, the exclusion of information “governed by” HIPAA is a welcome and understandable exclusion, as “protected health information” is already subject to rigorous standards under HIPAA. This exclusion does, however, raise questions regarding the extent to which personal information will be considered “governed by” HIPAA for purposes of exempting it from the CCPA. For example, many employers do not consider group health plan enrollment information that is collected by employers from employees and transmitted to the group health plan to be “protected health information” subject to the requirements of HIPAA.  The reason is they consider the information to belong to the employer, not the health plan. It is unclear when analyzing enrollment data for CCPA compliance if treating enrollment information as exempt from HIPAA would then make it be subject to the CCPA for California-based employees.

These types of considerations highlight the need for employers to conduct in-depth assessments of the types of employee information they collect and to adopt appropriately designed policies to comply with the CCPA.

[1] CCPA, Section 1798.140(o)(2).

[2] Id.

[3] CCPA, Section 1798.145(c)-(f)