Seyfarth Synopsis: California’s Attorney General is drafting regulations that will shape employer obligations under the California Consumer Privacy Act.
The California Consumer Privacy Act (“CCPA”) has engendered much confusion. The original enactment defined “consumer” to include employees, thereby imposing sweeping, onerous burdens on employers. Fortunately, the CCPA was amended so that employees, business owners, officers, medical staff, and independent contractors are not “consumers.” Nonetheless, the CCPA still requires employers to provide employees with privacy policies.
The CCPA goes into effect on January 1, 2020, and the enforcement deadline is the sooner of July 1, 2020, or six months from when California’s Attorney General issues final regulations. The Attorney General is still in the process of drafting final regulations.
Privacy Notices Required
The issue of employee coverage under the CCPA has been a fractious one. In an attempt to reach a compromise between business interests and privacy rights, the California Legislature passed a series of bills, the most important being AB 25, which largely exempt employees from the CCPA while still requiring employers to provide employees with privacy policies.
a description of the categories of personal information to be collected, and
the purposes for which the disclosed categories of personal information will be used.
General Principles Regarding Drafting Employee Privacy Policies
Use “plain, straightforward” language.
Use a format that draws the employee’s attention to the policy.
Make the policy available in languages usually used to provide notices to employees.
Make the policy accessible to employees with disabilities.
Present the policy before collecting employees’ personal information.
The current AG regulations largely mirror existing requirements. But we expect to see the requirements expanded, as that has been our experience with what other regulators have required. With that foreseen result in mind, we recommend additional disclosures relating to:
the technologies used to collect personal data,
what third parties (usually service providers) will have access to personal data, and
the purposes for which the third parties will use personal data.
Failure to include these kinds of disclosures in a policy may trigger an argument that the policy did not disclose information that a reasonable employee would want to know in order to make an informed decision. (This is the traditional test the FTC uses in starting its “deception” analysis under Section 5 of the FTC Act. Although the FTC Act doesn’t apply here, the AG knows the FTC’s approach and could well use the same logic in enforcing the CCPA.)
Limitations On Use Of Personal Information
Implications For Businesses That Process Personal Information
Along these lines, under AB 25, a business cannot process Personal Information for a purpose not disclosed in the privacy notice. Thus, businesses must carefully draft employee privacy notices with a sufficient level of breadth to cover all the ordinary, and extraordinary, purposes to which employee data will be put.
The Clock Is Ticking
AB 25’s employee exception to being defined as a “consumer” has a time limit. If the Legislature does not act on the issue of employee privacy in the next session, then the carve-out will expire in 2021, and employees will once again be considered “consumers” under the CCPA.
Business to Business Exemption
Thanks to the passage of AB 1355, businesses need not provide privacy notices to the employees of their clients or their vendors, though businesses must provide notices to their own employees.