California lawmakers passed a landmark privacy act in 2018 that provides sweeping new protections for consumers, and wades into territory covered by the European Union’s far-reaching General Data Protection Regulation, or GDPR.
Called “GDPR Lite” by some, the California Consumer Privacy Act, or CCPA, gives consumers the right to know what personal information is being collected, how it will be used, and whether it will be traded, bought, sold or reused. With it, consumers also can have their personal information deleted and exempted from sale.
Prompted, in part, by the Equifax breach that exposed the personal information of 147 million Americans in 2017, the law was pulled together quickly and included plenty of technical problems and unanswered questions. Employers, in particular, wondered whether their workers would be considered consumers under the law — and what that meant for them as they gathered and managed sensitive data from background checks and other activities.
We now have some answers.
In October, California Gov. Gavin Newsom signed several amendments — including Assembly Bill 1355 and Assembly Bill 25 — that clarify how CCPA applies to the workforce. And while updates do offer up some exemptions for workplaces, there are still actions employers must take to comply with the CCPA as soon as January 2020. Here’s why employers need to pay attention.
Who must comply with the CCPA?
The privacy act doesn’t cover every company. Businesses located in and outside of California must follow the California Consumer Protection Act if they fall under one or more of the following categories:
- They have gross annual revenues of more than $25 million.
- They buy, receive or sell personal information of 50,000 or more consumers, households or devices.
- They earn 50% or more of their annual revenues from selling consumers’ personal information.
Is background check information covered?
Background check data was initially part of the privacy act’s scope of coverage. As of the 2019 legislative session, it no longer is.
As amended by AB 1355, the act now exempts activities authorized by the federal Fair Credit Reporting Act, or FCRA. That includes background checks conducted by a consumer reporting agency conducted at the request of an employer in accordance with the FCRA.
AB 1355 also simplifies CCPA’s public records exemption to cover any information that is “lawfully made available” from federal, state or local government records.
The FCRA is a long-standing regulation that sets requirements for how employers and consumer reporting agencies handle consumer data, in particular, background reports. It provides consumers, as candidates for employment, with notice about how their data will be used and lays out a dispute process to correct the accuracy or completeness of the information reported to potential employers.
In other words, the FCRA meets the very same goals that California’s new law is designed to accomplish. That’s why lawmakers exempted FCRA-approved activities in AB 1355 and scrubbed any compliance responsibilities under CCPA as it relates to background checks.
Employers beware: Compliance responsibilities remain
Just because background checks are exempted from California’s privacy act doesn’t mean that employers can ignore the new law. Employers are still required to meet the following compliance responsibilities under CCPA:
- Privacy notices to employees
Starting January 1, 2020, employers must provide privacy notices to employees that describe what personal information will be gathered and how it will be used “at or before the point of collection.”
Personal information, according to the act’s expansive definition, covers “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
- Reasonable security measures
California already has a law, passed in 2002, that requires companies to notify consumers about data breaches. The CCPA bolsters that law, letting California residents seek $100 to $750 per incident in statutory damages when a breach leads to the theft of certain sensitive personal information because the company didn’t take the appropriate steps to prevent it.
Though some hoped it would, AB 25 doesn’t strike employers from this section of the act. Effective January 1, 2020, employers could face costly damages to the tune of up to $750 in fines per incident, if vital employee data is stolen and they didn’t take action to safeguard it.
- Access and deletion request requirements
Employers do get a partial one-year reprieve, so they can prepare to provide employees, job seekers and independent contractors with the right to access and delete personal information that’s used for workplace reasons free of retaliation. Workers will also have the right to know if their personal information is being disclosed or sold to third parties, to opt out of the sale of their personal information, and to request a copy of all personal information that the company has on file for them. Unless AB 25 is further amended, employers will be temporarily exempted from abiding by these provisions of the CCPA but should be expected to comply effective January 1, 2021.
5 steps to prepare for CCPA
Preparations to comply with California’s privacy act should look very similar to the efforts to get ready for GDPR a few years ago. Employers must start from the foundation up with a deep understanding of the company’s privacy frameworks, what data is collected, how it’s archived and accessible, and how it can be reported to individuals, and if requested, deleted.
Here’s how to prepare:
- Get those privacy notices drafted. By January 1, employers must have ensured that privacy notices are CCPA-compliant and ready to go.
- Secure employee data. The law doesn’t spell out “reasonable security procedures,” but employers can take a lead from California’s 2016 data breach report, which recommends, at minimum, 20 measures identified in the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.
- Establish access and deletion systems. As they get ready for the requirement to provide workers and others with their personal information and the opportunity to delete it, workplaces will need to put systems in place by 2021 to comply with the rule, and should consider whether they can reduce the amount of information they collect so it’s less cumbersome to meet the mandate.
- Address third-party vendors. Any outsourced human resources provider and staffing firm will need to comply with the new rules or an employer could be held liable. Ensure they are up to speed.
- Remember independent contractors. California’s Assembly Bill 5, triggered by Dynamex Operations West, Inc. vs Superior Court of Los Angeles, limits who employers can classify as an independent contractor. California’s Consumer Protection Privacy Act is just another reason to ensure that the independent contractors on your payroll are properly classified and afforded adequate protection under the law.
- Don’t let your guard down. Lawmakers could revisit AB 25 or consider other amendments to CCPA in the next legislative session, so it’s a good idea to stay on top of new proposals and discussions.
Even if their companies aren’t located in California, all employers should take note of these new privacy rules. When it comes to laws, the Golden State often is a trendsetter. As the next legislative season heats up across the country, it’s likely more states will follow suit.