BCLP At Work

BCLP At Work

GDPR

Main Content

Employer CCPA FAQs #4: What information is not “Personal Information” under the CCPA?

This post is part of our series of FAQs examining the California Consumer Privacy Act (“CCPA”)  that should help employers with operations in California to determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance. By way of background, the CCPA is a new privacy law that will go into effect in early 2020. Because the CCPA refers to “consumers” many HR professionals do not realize that the CCPA, as currently enacted, also applies to data collected about California-based employees. Please see our recent blog post for a summary of which employers will be subject to the CCPA and the key requirements of the law. Although the law will not be in effect until next year, employers who must comply should be addressing compliance obligations now.  For U.S. employers who have not had to comply with the European Union’s General Data Protection Regulation (“GDPR”), the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and updated or new data policies. Employers who are required to comply with the GDPR will likely already be familiar with many of the requirements of the CCPA, and a key area of interest is the degree to which the CCPA aligns with GDPR for purposes of implementing CCPA compliant practices for their California-based employees. BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols

Employer CCPA FAQs #3: As used in the CCPA, do the terms “personal data,” and “personal information” mean the same thing?

In the coming weeks we will be releasing a series of FAQs examining the California Consumer Privacy Act (“CCPA”)  of particular importance to employers.  These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance. By way of background, employers with operations in California should be aware of the CCPA, a new privacy law that applies to data collected about California-based employees.   Because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees. Please see our recent blog post summarizing the CCPA for employers. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For U.S. employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).  Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees. BCLP also offers a complete compliance

Employer CCPA FAQs #2: What is “personal information” under the CCPA?

In the coming weeks we will be releasing a series of FAQs examining the California Consumer Privacy Act (“CCPA”)  of particular importance to employers.  These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance. By way of background, employers with operations in California should be aware of the CCPA, a new privacy law that applies to data collected about California-based employees.   Because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees. Please see our recent blog post summarizing the CCPA for employers. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For U.S. employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”).  Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees. BCLP also offers a complete

Employer CCPA FAQs #1: Does the CCPA apply to employee data?

In the coming weeks we will be releasing a series of FAQs examining the California Consumer Privacy Act (“CCPA”)  of particular importance to employers.  These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance. By way of background, employers with operations in California should be aware of the California Consumer Privacy Act (“CCPA”), a new privacy law that applies to data collected about California-based employees.   Because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees.  See our recent blog summarizing the CCPA for employers: [https://bclpatwork.com/meet-the-ccpa-new-privacy-rules-for-california-employees/] The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For US employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees. BCLP also offers

Meet the CCPA: New Privacy Rules for California Employees

Employers with operations in California should be aware of the California Consumer Privacy Act (“CCPA”), a new privacy law that applies to data collected about California-based employees.   HR professionals should be aware that, although the CCPA refers to “consumers,” as currently drafted the CCPA’s definition of a “consumer” will apply to California-based employees.

Which employers will have to comply with the CCPA?

Employers with employees in California will need to comply with the CCPA if their business falls into one of the following three categories:

  • Their business buys, sells, or shares the “personal information” of 50,000 “consumers” or “devices”;
  • Their business has gross revenue greater than $25 million; or
  • Their business derives 50% or more of its annual revenue from sharing personal information.
  • What are the key implications of having to comply with the CCPA?

    The Employers who have to comply with the CCPA will be subject to the CCPA’s:

  • Expansive definition of “personal information”;
  • New notice requirements for California-based employees, which notices describe the employer’s collection of and use and disclosure of personal information
  • New data privacy rights for California-based employees, including the right to access, delete, and opt out of the “sale” of personal information;
  • Special rules for the collection and use of personal information of minors;
  • Requirement to implement appropriate and reasonable security practices and procedures;
  • Enforcement provisions, including a statutory damages framework; and
  • Private right of action for employees.
  • The CCPA will go into effect in early 2020, and employers who must comply should be

    GDPR HR series: Data breaches – what you need to do when you discover a data breach

    Welcome to the third post in our ‘GDPR HR Issues’ blog series. Drawing on key insights from across Bryan Cave Leighton Paisner’s global Employment & Labor team, the series highlights key GDPR issues affecting employers.

    This blog focuses on new obligations imposed by the GDPR to notify the relevant supervisory data protection authority (“DPA”) and those individuals whose data have been violated, when an employer becomes aware of a violation affecting personal data that it processes (a “data breach”).

    If an employer discovers that the personal data it holds concerning its employees is, for example, accidentally accessed by a third party without authorization, what practical steps should it take to manage such a breach?

  • What is a “data breach”?
  • A personal data breach occurs when a breach of security affects the personal data’s confidentiality (unauthorized disclosure or access to the data), integrity (data is involuntarily or unlawfully modified or destroyed) or availability (loss of data). Data breaches can be accidental or deliberate.

  • What immediate steps should an employer take when it discovers a data breach?
    • Take immediate action to mitigate the breach (for example restore access authorizations where there has been a security failure and take such other IT security measures as necessary);
    • Set up a crisis team. This should include the Data Protection Officer (the “DPO”) if the company has one (or if not, a person responsible for data privacy in the organization) as well as people from HR, Legal, IT and any other

    GDPR HR Series: Subject Access Requests Under the New Regime – What You Need to Know

    Welcome to the 2nd post in our ‘GDPR HR Issues’ blog series. Drawing on key insights from across Bryan Cave Leighton Paisner’s global Employment & Labor team, the series highlights key GDPR issues affecting employers.

    With the General Data Protection Regulation (‘GDPR’) coming into effect today, employers with EU-based staff need to ensure that they properly comply with the new regime. Failure to do so can result in significant fines and disruption to your business.

    This blog focuses on the changes made by GDPR to a fundamental data protection right – an employee’s right to find out what information their employer holds on them by making a data subject access request (‘DSAR’).

  • Complying with a DSAR can involve a lot of work and significant cost, not least because the request may require the employer to search in many different places for the employee information, which by its nature may not be held in a clearly structured way. For example, an employee could ask for details of email discussions that others in the organization have had about them over a long time period, which could require doing extensive searches of various email accounts. In some jurisdictions it is common for employees who are in dispute with their employer to use DSARs to obtain early disclosure of information that they can use in their dispute, or simply to put pressure on the employer. An employer cannot normally refuse to provide the information, unless an exception applies. A common exception in this context
  • GDPR HR Series: Employee Information Notices About Personal Data – Your Key Questions Answered

    Following the combination of the Labor & Employment practices at Bryan Cave and BLP, Bryan Cave Leighton Paisner’s combined team now includes over 120 employment lawyers in offices across the US, UK, France, Germany and Russia, with excellent capabilities and a strong network in Asia. Committed to collaboration, and with our strengthened offering, experience and substantive knowledge advising clients on GDPR, we bring you our new ‘GDPR HR Issues’  blog series. Drawing on key insights from across our team, the series highlights the key GDPR issues affecting employers.

    The General Data Protection Regulation (‘GDPR’) comes into force in less than two months. From an HR perspective it imposes data obligations on any US, European or other employer with EU-based staff. Failure to comply with the GDPR regime can result in significant fines and disruption to your business. Are you ready?

    Our first blog deals with ‘privacy notices’ aimed at staff. GDPR requires employers to give information to their workforce, setting out in particular the personal data (employee information) the employer holds about them, how it is used, and with whom the information is shared.

  • We already give staff a privacy notice under existing data protection laws. Is that enough?
  • No. GDPR imposes new requirements on employers. Employers must give more detailed information than is currently required under existing EU data protection laws. Employers also need to ensure that their privacy notices accurately reflect their workforce data processing activities.

  • Our privacy notice is very long and complex. Is that a
  • Less than 90 days to go – are you GDPR compliant?

    “GDPR – please not again …” In recent times there is hardly any other legal topic more often written and talked about than the new EU General Data Protection Regulation (“GDPR”).

    In light of the severe penalties and with less than 100 days until the GDPR goes into full effect (on May 25th, 2018), it is time for U.S. companies to take steps to prepare. Below are some key points to consider and pragmatic to-dos to assist in assessing whether your organization is ready for GDPR compliance.

    • GDPR may apply to U.S.-based companies with zero employees and no offices within the boundaries of the EU territory

    While the EU Data Protection Directive of 1995 did not apply to businesses outside the EU territory, this is no longer the case under GDPR.

    Now any business may be subject to the new law if it processes personal data of an individual residing in the EU; not even a single transaction needs to occur. As long as your data processing relates to offering services or monitoring behavior on the EU market of EU data subjects – the GDPR may apply to your U.S.-based business. The location of a consumer is the key term to identify whether an individual is deemed a “data subject in the Unio.” While”location” does not necessarily relate to the consumer’s legal “citizenship” or “residenc,” lawyers often use the term “residency” as a short hand way of referring to those people to whom the direction of services might

    The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.