Dec. 27, 2019 Reminder: Employer Obligations for CCPA Compliance Begin January 1, 2020

Although the California Consumer Privacy Act’s (CCPA) most onerous requirements for employers will not go into effect until next year, two requirements will take effect on January 1, 2020.

Is My Business Covered?

Not all businesses are covered by the CCPA.  The new law applies only to for-profit entities doing business in California that collect consumers’ (including employees’) personal information and meet any one of the following criteria:

  1. Businesses with gross annual revenues in excess of $25 million;
  2. Businesses that annually buy, share, or receive for commercial purposes, or sell personal information of 50,000 or more consumers, households, or devices;
  3. Businesses that derive 50% or more of annual revenues from selling personal information; or
  4. Any business that (a) controls (or is controlled by) a business meeting any of the above and (b) shares common branding.

If Covered, What Are We Required to Do?

Beginning January 1, 2020, covered employers must (1) take reasonable security measures to safeguard employee data and (2) disclose their privacy policy to California residents and employees before collecting any personal information.

We recommend that covered employers:

  • Engage with the IT team to ensure that the company’s security measures are reviewed periodically for compliance with industry standards and best practices.
  • Draft a new privacy policy.
  • Distribute the privacy policy to applicants and employees “at or before the point of collection of” data. For example, the policy should be visible before the individual begins the employment application or provides personal data for the HRIS system. 
  • Add a read receipt acknowledgment for the privacy notice in any compensation or benefits plan agreements.

What Does the Policy Need to Include?

Later this year, after the California Office of the Attorney General (OAG) completes its draft regulations, we expect to have more guidance on exactly what the policy must include.   

For now, we recommend making a good faith attempt at compliance by providing employees with a short policy covering the following:

  • The purpose of the policy;
  • A brief definition of “employee data”;
  • A broad description of the employee data the company collects;
  • A broad description of how the company uses employee data;
  • A statement that employee data may be disclosed to third parties, such as for payroll and benefits administration;
  • A statement that the company takes reasonable security measures to protect employee data;
  • A statement that the company does not sell employee data; and
  • Contact information for employees who want to learn more. 

The policy should be broad enough to capture all of the specific categories of data that companies need to collect with regard to the employment relationship and all applicable compensation and benefits arrangements. The OAG has already stressed that privacy policies must:

  1. Use “plain, straightforward” language;
  2. Use a format that draws the employee’s attention to the policy;
  3. Be made available in languages usually used to provide notices to employees; and
  4. Be accessible to employees with disabilities.

What If We Are Not Ready by January 1, 2020?

While the law again goes into effect January 1, 2020, it will not be enforced until the later of July 1, 2020, or six months after the OAG completes its draft regulations.  The public comment period recently closed and the OAG is still working on final regulations.  As noted above, we expect that the final regulations will provide more guidance.  As such, employers should plan to revise the draft policy after the OAG’s regulations are finalized.

Where Can We Find More Info on the CCPA?

The CCPA is an onerous law that covers far more than the employer obligations set forth above.  The OAG website and this Fact Sheet summarize the new rights granted under the CCPA, who the CCPA applies to, and the new business obligations it creates.

This E-Update was authored by Karyn Moore and Camille Gustafson. For more information or for assistance with employee privacy policies, please contact Ms. Moore, Ms. Gustafson, or any other Paul, Plevin attorney, by calling (619) 237-5200.