Beginning on January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will impose new privacy obligations on certain businesses that collect personal information of California consumers. Employers with employees in California are trying to navigate how the CCPA applies to the employment relationship, including information related to employee benefit plans. Below is a summary of the potential implications for employers that are a “business” covered by the CCPA. To determine if your business is subject to the CCPA, please see our prior article, Are You Covered by the CCPA? For guidance on developing your CCPA compliance project plan, please see our companion article, We Are Covered, So Now What Do We Do? Create A Project Plan!
Are my employees covered by the CCPA?
The definition of “consumer” is very broad, providing that any natural person who is a California resident is a “consumer” for purposes of the CCPA. Currently, this broad definition extends to cover employees who are resident in California. The fact that their relationship with the business is as an employee, and not a consumer of the goods and services of the business, is irrelevant for this purpose. Residency is determined using an analysis of whether an individual is (i) in California for other than a temporary or transitory purpose; or (ii) domiciled in California but temporarily or transitorily outside of California1. Therefore, your employees who are domiciled in California, including those who are temporarily outside of California on business, are consumers under the CCPA. However, your employees who travel to California to do business periodically, but are not considered resident there, are not “consumers” under the CCPA.
With the California legislature’s September 13, 2019 passing of amendment AB 25, the CCPA is set to apply to consumers in their capacities as employees. AB 25 has itself been revised since it was first introduced. A previous version of AB 25 would have modified the definition of “consumer” to exclude employees from the definition. The passed version of AB 25, which is awaiting action from the governor, leaves the definition of “consumer” unchanged, but it would provide a temporary respite for employers. AB 25 states that the CCPA does not apply to:
Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
However, AB 25 also states that the foregoing paragraph “shall become inoperative on January 1, 2021.” As such, if the governor signs AB 25, the CCPA generally would not cover employees on January 1, 2020, but it would cover employees – and any employment-related and employee benefit plan data held by an employer – on January 1, 2021. Reportedly, the exemption for employees may be made permanent by later amendment, but the temporary reprieve was the result of a polit-ical compromise. We cannot currently assess the likelihood of any future amendment to extend this exemption or make it permanent. In any event, the governor has until October 13, 2019 to act on AB 25.
Lastly, note that under AB 25, two key provisions affecting employees will come into effect with the rest of the CCPA on Jan-uary 1, 2020: (1) employees can sue for data breaches; and (2) the notice regarding categories of information collected, used and disclosed by the employer must be given to the employees. Once January 1, 2021 arrives, the exemption language de-scribed above would go away and the CCPA would fully apply to consumers in their capacities as employees. The rest of this article discusses the current text of the CCPA and the implications for employment-related and employee benefit plan data.
Is employment-related data considered “personal information”?
Yes. As the definition of “consumer” is very broad, so is the definition of “personal information.” Employment-related information is clearly “personal information” under the CCPA2. There is no exemption for employment-related personal information stored and maintained by an employer, unlike the privacy laws of other states, such as Texas3.
“Personal information” means “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”4 Various examples applicable to the employment relationship are listed in the definition, including: name (real or alias), address, email address, SSN, driver’s license number, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial information, medical information, health insurance information, biometric information, Internet or other electronic network activity information.
Notwithstanding this definition, to the extent employment-related information is collected or used in connection with an ERISA-covered employee benefit plan, such data may be exempted from the CCPA due to ERISA preemption, as discussed below under “Is employee benefit plan data covered by the CCPA?”
From an employer perspective, consider the following common types of data that would be “personal information” for purposes of the CCPA:
Is employee benefit plan data covered by the CCPA?
Generally, yes. Employee benefit plans collect and use personal information as the plans require various types of personal information in operation, such as name, address, Social Security Number, and insurance policy information. However, compliance obligations of certain benefit plans may be: (1) limited by the CCPA’s HIPAA exemption; and (2) potentially preempted by ERISA.
What rights do my employees get under the CCPA?
The CCPA gives consumers, including your employees who are residents of California, various rights related to their personal information held by your business if your business is subject to the CCPA. For employees, here is what that currently means:
What key steps should employers take?
An employer subject to the CCPA should apply the same steps it is applying to “personal information” it collects from customers and other consumers to employee data and employee benefit plan data that may be subject to the CCPA. However, as a practical matter, the notices provided and the processes involved may be communicated and operated differently for the employee population versus external “consumers”. A few key issues for employers developing a CCPA compliance project include:
Employers subject to the CCPA should begin compliance efforts immediately in order to be prepared for the onerous requirements in advance of the CCPA effective date of January 1, 2020.
Updated from the original article published on April 8, 2019.
1. California Code of Regulations, Title 18, Section 17014.
2. CCPA Section 1798.140(o)(1)(I).
3. For example, in Texas, the medical records privacy law provides an exemption for employers, except with respect to a limited provision on the prohibition on reidentification of PHI. Texas Health and Safety Code Section 181.051.
4. CCPA Section 1798.140(o)(1). Note that “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
6. ERISA Section 514(a).
7. Shaw v. Delta Air Lines, Inc., 463 US 85 (1983).
8. CCPA Section 1798.105.
9. There are additional disclosure requirements if an employer sells employee information for a business purpose; however, a typical employer would not be selling employee information and such disclosure requirements are not discussed herein. CCPA Section 1798.115.
10. CCPA Section 1798.145(c)(1)(B).
11. CCPA Section 1798.120.
Sign up for our newsletter and get the latest to your inbox.