The application of the California Consumer Privacy Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.
Why the Uncertainty?
According to critics, the new law was never intended to apply to employee data and the resulting language is just an unintended consequence of hasty drafting. Others advocate for the act to apply to employee data and view the CCPA’s broad definitions as a purposeful maneuver to have the act apply to all personal data and not just data associated with business-to-customer interactions. Regardless of whether the act should or was intended to apply, there is little disagreement that the CCPA, in present form, facially applies to employee data.
Some of the skepticism about the intent to apply the CCPA to employee data is based on view that the law is meant to be a general consumer protection measure, following the common understanding of “consumer,” i.e., an individual who buys products or uses services for personal, family or household purposes. After all, the act is named the California Consumer Privacy Act. In addition, various provisions appear to not fit employment relationships. For example, organizations are to satisfy the core notice obligations by posting the notice on their public-facing website. This is inconsistent with typical methods by which employers provide notice to their employees. Another example is the anti-discrimination provision that prohibits the denial of goods or services to a consumer or the charging of different prices or rates for goods or services in response to a consumer’s exercise of CCPA rights. The provision does not address workplace-related anti-discrimination activities based on the exercise of CCPA rights. Conversely, there are broadly drafted provisions that some advocates point to as indications that the legislature might have intended to cover employee data:
- Foremost, the plain language definition of “Consumer” under the CCPA is “a natural person who is a California resident.” As noted above, this plainly encompasses employees.
- The legislative findings acknowledge that “i[t] is almost impossible to apply for a job . . . without sharing personal information.”
- The CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The act provides a non-exhaustive list of examples, which includes “professional, employment-related information.”
- While there is nothing in the legislative history reflecting an intent to apply the CCPA to employee data, there is similarly nothing in the legislative history suggesting an intent to exclude employee data either.
Following passage of the CCPA, a coalition of companies lobbied the legislature for a narrowing of the definition of “Consumer” to exclude employees and contractors. Consumer advocacy groups opposed efforts to “rewrite the definition of what information is covered or who a protected consumer is.” SB 1121, which the legislature passed on August 31 amending the CCPA, did not include any narrowing of the definition of “Consumer.” While the passage of SB 1211 without such a change is not dispositive as to original intent, it is nonetheless notable.
Practical Implications of Applying the CCPA to Employee Data
While it is not clear the legislature contemplated applicability to employee data, the CCPA can be read to confer rights on employees with regard to personnel records and other employee data. The CCPA is a sub-optimal framework for addressing employee data. Some of the reasons include:
Opt-Out Notices on Company Websites
Under the CCPA, businesses must notify consumers of their right to opt out of the sale of their personal information. As noted above, such notice must be given on the business’s public-facing website, without exception. This would be a curious way to provide notice to employees, as employee notices usually take the form of provisions in an employee handbook, sharing information directly with the workforce, or posting notices in common areas such as break rooms.
Opt-Out for Sale of Personal Information
Under the CCPA, consumers have the right to opt out of the sale of their personal information. Most businesses do not actively sell their employees’ personal data. However, given the broad definition of “sale” under the act (i.e., the receipt of any “valuable consideration”), this could implicate some sharing arrangements that companies would not typically have contemplated as involving a sale. Fortunately, there is an exception for the situation where companies are most likely to implicate the definition of sale, i.e., when there is a transfer of personal information to a third party in connection with corporate transactions or bankruptcy.
Anti-Discrimination Clause Leaves Out Employment Terms, Promotions, and Termination
As discussed above, the anti-discrimination clause confers certain rights on consumers. According to the CCPA’s anti-discrimination clause, businesses cannot discriminate against consumers who exercise their rights under the CCPA by denying goods or services, charging higher prices, or providing lower-quality products or services. If the CCPA was truly meant to apply to employees, we might expect this clause to reference the business’s inability to fire an employee, decline promotion opportunities, or offer different terms of employment for exercising their rights under the act.
Data Subject Access and Deletion Rights Present Difficulties for Sensitive Employer Information
The CCPA confers on consumers the right to access their personal information and to request the business delete their information, subject to exceptions. Since the act’s definition of “personal information” encompasses “employment-related information,” employees can arguably request access to confidential performance reviews or internal correspondence about the employee. There is no exception to withhold a business’s confidential information. While the deletion right facially presents an issue where an employee requests that the employer delete certain data, the exceptions to the deletion right are broader than those applicable to access rights and in many cases there may be reasonable exceptions available to employers to retain their employees’ workplace records.
Access and deletion rights are only available so long as the exercise of rights does “not adversely affect the rights and freedoms of other consumers.” It may be very challenging for an employer to know when an access or deletion right might adversely affect someone else’s rights. For example, situations involving workplace harassment could be challenging when an employee requests deletion of disciplinary records (e.g., records of workplace sexual harassment) that are outside of a statutorily prescribed retention period but potentially relevant to the workplace environment.
The Attorney General is given broad authority to write regulations “to further the purposes of” the act. It is conceivable that by the deadline of July 1, 2020, the Attorney General may adopt rules that exclude or soften the CCPA’s applicability to employee data. In addition, the 2019 legislative session might bring amendments that minimize the CCPA’s applicability to employee data. However, many companies, in recognition that January 1, 2020 will arrive quickly, are commencing compliance efforts for employee data as part of the planning. Below we discuss some measures that companies may consider at the outset of the CCPA’s 18-month enforcement grace period.
Operationalizing the CCPA’s Requirements as to Employee Data
The CCPA confers various individual rights, including the right to access personal information free of charge; the right to request deletion of personal information; the right to information regarding collection and disclosure of one’s personal information; and the right to opt out of the sale of personal information. Businesses subject to the CCPA and in the process of assessing how to comply with such rights for consumers generally may want to consider assessing how these rights may apply to employees and then take relevant data governance measures. In particular, companies not inclined to take a wait-and-see-approach as to whether further amendments to the CCPA scale back its applicability to employees may consider implementing the following compliance measures as they relate to employee data:
A vital first step in CCPA compliance is data mapping—creating an inventory of the personal data that a business collects, stores, and shares with others. This exercise allows the business to catalog its data processing practices, from which the business can assess its risks; identify legal obligations; detect security risks, problematic practices, or operational inefficiencies; and pinpoint its operational priorities. The third installation of our CCPA blog series explains the data mapping process.
In the employment context, data mapping will reveal what personal information the business holds about its employees, including in which systems and how that information flows for various operational purposes. The most relevant types of personal information include traditional identifiers (e.g., name, address, phone number, social security number, email address), job applicant information, benefits information, professional or employment-related information (e.g., compensation, performance reviews), geolocation information, internet activity (e.g., browsing history, interactions with websites), and/or characteristics of protected classifications and disabilities. Precisely identifying the types of personal information stored is a necessary step to complying with CCPA notice obligations and data subject requests, such as the rights to access or delete one’s personal information.
Honoring Data Subject Rights
Knowing the scope of individual CCPA rights is an important part of preparing to appropriately honor such rights. The rights to access personal information and to know what personal information is collected and disclosed are limited to the 12-month period preceding the verified request. The CCPA provides further exceptions to data subject rights. For example, the right to deletion does not apply to personal information a business maintains for (1) uses “reasonably anticipated in the context of the businesses’ relationship with the consumer,” including for contractual purposes; (2) “solely internal uses” aligned with reasonable consumer expectations based on a consumer’s relationship with the business; (3) security purposes; and (4) complying with legal obligations. These bases may allow a fair amount of flexibility for employers to deny deletion requests, but businesses may consider assessing and applying appropriate exceptions to the many and varied employee data processing activities. The right of access does not contain as many exceptions and will present more challenges for businesses to apply. Indeed, a business may only deny access to the personal data that it retains if the data subject already was granted such access within the twelve months preceding the request.
It will also be important for employers to assess whether any sharing arrangements with third parties may be deemed a CCPA sale. If any sharing arrangements are CCPA sales, in the employment context, businesses may want to consider means of communicating opt-out rights other than the CCPA-prescribed method (i.e., posting on a public-facing webpage) which, as discussed above, would be an unusual and ineffective way to notify employees and provide them an opportunity to exercise this right.
Exceptions aside, and apart from opt-out requests to the extent a business might be deemed to sell employee personal information, businesses will have to designate methods for their employees to convey requests. At a minimum, these methods must include providing employees with a toll-free telephone number and a website (if the business maintains an internet domain) to submit requests.
Record Retention Policy
The time may be right for businesses to evaluate their record retention practices to determine whether certain retention periods are legally mandated or whether there is another business rationale supporting retention longer than may be required by law. If your business does not have a written record retention policy, or the policy has not been updated in a while, now may be an opportune time to address it. The CCPA excludes from the right to deletion any personal information that the business must retain to comply with legal obligations, such as the 3-year payroll record retention period under the Fair Labor Standards Act or the 4-year tax record retention period per IRS regulations. A good record retention policy explains the legal obligations that apply to maintaining employment records and, if records must be kept for other reasons, the bases for retention time frames. The policy can help a business develop a defensible process for addressing individual rights requests.
Updating Vendor Contracts
Businesses may need to update written agreements with vendors that receive employee data. These contracts must conform to the CCPA vendor contract requirements. For example, such requirements may prohibit service providers from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services.” The contracts may also require cooperation with actionable employee access and deletion requests. An initial step would be to inventory all relevant vendor contracts under which a business may share personal information.
Any entity can be the victim of a security breach. The CCPA creates a private right of action for consumers where their personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” While the CCPA does not include any new data breach notification obligations, the CCPA addresses broader activity than covered in California’s data breach notification statute. Specifically, the CCPA does not contain an exception for the “[g]ood faith acquisition of personal information by an employee or agent,” though a breach involving such circumstances may be relevant to whether the businesses’ practices were reasonable. In the employment context, a breach can occur as quickly as a misdirected email. Given that many breaches occur due to insider mishandling, coupled with the hefty statutory damages available to prevailing parties, companies may wish to implement new employee training programs to minimize this risk.
The CCPA may yet be amended to exclude employee data from its coverage, but that is not a given. And while there are questions about whether the legislature intended to cover employee data, the plain language suggests that companies may be well advised to start planning CCPA compliance activities with employee data in mind.
Click here to read the next post in the CCPA blog series.
Authored by Timothy Tobin, Scott Loughlin and Morgan Perna.
*Morgan Perna was not yet a member of the Washington, D.C. bar when this post was originally published.