Introduction: The California Consumer Privacy Act (CCPA), which took effect earlier this year, has left many employers in the Golden State scrambling to comply with privacy regulations concerning the collection and use of personal data relating to consumers. On February 10, 2020, the California Attorney General’s office released an updated version of its proposed regulations, which for the first time provided additional guidance on the notice obligations necessary in the employment context. The comment period for these proposed changes has been extended to February 25, 2020. This article addresses the recent changes incorporated into the CCPA as they concern employees.
For those who are not familiar with the CCPA, the law was enacted for the purpose of providing additional protections and rights concerning the collection, sale, and use of personal data. See our July 9, 2018 Alert for more information. Earlier last year, the application of the CCPA to employee data remained an open-ended question that left many employers baffled. On its plain face, the CCPA appeared to be applicable only to California “consumers.” However, a detailed reading revealed the CCPA broadly defined the word “consumer” to include “a natural person who is a California resident.” As such, the CCPA extended its reach to individuals that share personal information as part of their employment relationship such as interns, volunteers, job applicants, part-time employees, temporary workers, full-time employees, or independent contractors.
In response to voluminous criticism and commentary, the CCPA was amended on October 11, 2019. Significantly, the amendment exempted employers, for one year, from abiding by the CCPA’s more onerous provisions, including granting access and deletion rights to employees, job applicants, or independent contractors. However, employers are still required to provide notice regarding information that is collected from, disclosed by, and/or used for their employees. Thus, although the passage of this amendment temporarily alleviated some concerns regarding the applicability of the CCPA to employees, businesses are still required to comply with the law’s privacy notice requirements, including implementing reasonable safeguards to protect personal information.
The following is a quick summary of the recent changes as they concern employees:
Privacy Notice for Employees: The amendment added a few terms to the CCPA. Of note, the amendment added the term “employment-related information,” which was defined to include personal information that is collected by the business about employees, applicants, independent contractors, owners, directors, officers, emergency contacts, and/or dependents.
This change reaffirmed the notion that employers are required to provide notice to employees regarding personal information that is collected and the purposes for which such information is collected. Previously, the Attorney General provided guidance requiring companies to provide a link to the privacy notice at the point of collection, which may have been difficult for employers that do not always collect employee data electronically. However, in the revised proposed regulations, the Attorney General made changes that give employers more leeway. Specifically, employers are allowed to provide a copy of the privacy notice via e-mail and/or paper at the time of collection of employment-related information. Further, if such information is collected online, employers can provide a link to a privacy policy applicable for job applicants, employees, or contractors in lieu of a link to a privacy policy for consumers, since such policies may not sufficiently address disclosure requirements in the employee context. Nevertheless, the revised proposed regulations require any notices be easy to read and understand, including using a format that would draw the consumer’s attention to the notice and make the notice readable, even on smaller screens, if applicable. Accordingly, the proposed regulations provide illustrative examples of when the notice can be provided at or before the point of collection of personal information.
ADA Accessibility: Additionally, privacy notices under the CCPA must be reasonably accessible to individuals with disabilities. For notices provided online, the business must follow generally recognized industry standards. The Attorney General identified the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, available here. In other situations, businesses must find ways to provide information in an alternative format. For instance, the proposed regulations state that when businesses are collecting information over the phone or in person, such businesses may provide the privacy notice orally.
The Bottom Line: Based on recent changes to the CCPA and the Attorney General’s proposed revised regulations, employers are encouraged to review their privacy policies, including whether these policies meet ADA accessibility requirements. Furthermore, employers should be prepared to extend full protection and statutory rights to employees starting on January 1, 2021. Employers also should consider the method of delivery of their privacy notice to their employees and how to best provide such notice.