The First Consumer Privacy Law in the U.S. Is Coming: Are You Ready?
The California Consumer Privacy Act (CCPA) is a new privacy regulation that will go into effect on January 1, 2020, and it is the first law in the United States that will closely align with the General Data Protection Regulation (GDPR). The CCPA seeks to protect all California residents with respect to any personal information that relates to them. As such, the new legislation is causing a great deal of confusion among employers. Specifically, it could impose considerable compliance burdens on every employer that employs California residents – not just businesses that are located in California. This compliance risk, however, is not guaranteed.
The confusion stems from the vagueness surrounding the applicability of the CCPA to employee and job applicant data. As a result, this vagueness is also creating a waiting game for employers, who are trying to determine the best approach to CCPA compliance. Here are some key considerations regarding your strategic CCPA options:
Does CCPA apply to employee and job applicant data?
There are currently two views on this topic. The first view is that the CCPA’s plain language is vague and broad enough that it arguably covers employee and job applicant data. The second view is that the CCPA offers many indications that the California legislature never intended for employee and job applicant data to be covered by it. For example, the words “employer” and “employee” do not appear in the entire statute. Given the disconnect in differing views, it should come as no surprise that there is a pending bill addressing this topic.
California Assembly Bill 25 (“AB 25”) would clarify this topic by adding an exclusion to the CCPA’s definition of “Consumer”:
Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of ... the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of ... the business.
If signed into law, AB 25 would remove employee and job applicant data from the CCPA’s purview. If it is not enacted, a regulatory clarification from the California’s Department of Justice could also do so.
What is the impact on employers if the CCPA applies employee and job applicant data?
The CCPA is intended to provide California residents with more control over their personal information. This is accomplished by affording them new individual rights. These include the right to:
· Access personal information
· Delete personal information
· Opt-out of the sale of personal information
The CCPA also permits California residents to bring a private right of action against a business under certain circumstances, such as when the business suffers a data breach. Therefore, waiting to see if employee and job applicant data is subject to CCPA may not be an option for some employers. Moreover, other states have already drafted and are discussing the enactment of a similar data privacy legislation, like the CCPA.
How can employers proactively prepare for the CCPA?
Once an employer decides to proceed with implementing a CCPA compliance program for employee and job applicant data, it should consider taking the following steps:
- Establish an individual data rights submission method: Employees and job applicants will need a method to submit requests to exercise their rights.
Develop or revise applicable policies and procedures: Revisit policies and procedures to verify, respond to and document personal information requests. Privacy and security policies may also need to be revised (or developed if they do not currently exist) to address the aspects of CCPA beyond personal information requests.
- Address information security: Review current information security practices and procedures for employees and job applicants and address any gaps.
- Perform awareness and operational training: Provide a general awareness to all company employees about the CCPA, and specifically train employees responsible for responding to CCPA-related personal information requests.
What should employers expect?
Since the CCPA’s enactment, many legal and business representatives, among others, have expressed their concerns of the CCPA’s vagueness regarding the applicable to employee and job applicant data. Therefore, I believe it is reasonable to expect AB 25 to become law. However, the timing of its passage and enactment is still very much an unknown. In addition, looking into the future, beyond the effective date of the CCPA, one thing is clear. There will be more states that pass privacy regulations like the GDPR.
As such, this is not a time for idleness. Instead, employers should proactively begin preparing for the CCPA. The cost of non-compliance is simply too high. It can have risks beyond monetary value, including negative effects on an employer’s employees and job applicants, brand and future success.
With less than six months until the CCPA goes into effect, now is the time for you and your company to act.
Follow along over the next several months and visit the International Association of Privacy Professionals’ (IAPP) Privacy Tracker for updates.
By Josh Torres
Josh Torres serves as corporate regulatory & privacy counsel at iCIMS, Inc. Torres brings more than 10 years of corporate law experience to iCIMS, including a highly regarded specialization in privacy law. Torres is one of a select few members to be named a Privacy Law Specialist (PLS) by the International Association of Privacy Professionals (IAPP), an exclusive designation that recognizes a select group of leaders that successfully demonstrate a knowledge of relevant privacy laws, regulation and technology; a commitment to staying ahead of new developments in the field; and substantial time devoted to practicing law related to safeguarding personal information.