Even before the onset of the COVID-19 pandemic, California businesses braced for the significant impact that the new California Consumer Protection Act (CCPA) would have on their operations. This far-reaching and the first consumer protection law of its kind in the country provides consumers rights associated with how businesses collect and use their data. The law, which took effect on January 1, 2020, was pushed by consumer privacy advocates after a series of data security breaches, like the 2014 hack of Sony associated with the release of its film "The Interview," which exposed its employees' emails and personally identifiable information.
Among other safeguards, consumers have the right to opt-out of the collection and sale of personal information, the right to request that a business delete personal information, and the right to request disclosure of what personal information a business collects, uses, shares, or sells. As discussed in more detail below, most consumer protections under the law will not apply to employees until at least 2021.
In the COVID-19 era, as shelter-in-place directives begin to ease and businesses think ahead to reopening operations, it is likely that health and safety measures such as temperature checks and requiring family health information will become more commonplace. In this context, it is even more critical for consumers and workers to think ahead, too, and understand their privacy protections. Indeed, the California Attorney General has recently made clear that the pandemic will not delay enforcement of the CCPA.
Covered Businesses Under the CCPA
The CCPA applies to for-profit businesses that (a) do business in California, (b) collect the personal information of consumers and employees, and (c) satisfy any of the following three criteria:
- The business has annual gross revenues over $25 million; or
- The business annually buys, receives, sells, or shares personal information of 50,000 or more California residents, households, or devices (or any combination thereof); or
- The business derives 50% or more of its annual revenue from selling consumers' personal information.
The CCPA governs even small businesses, such as when at least 50,000 California residents visit a company's website annually (or an average of 137 unique users daily).
Employee Protections Under the CCPA
While the CCPA defines "consumer" broadly to include employees, most of the protections will not apply to employees until January 1, 2021. If the electorate passes a new state ballot measure in November 2020, this exemption would be extended to 2023.
However, two critical provisions of the CCPA currently do apply to employees. First, employers must implement reasonable security measures to protect employees' personal data. An affected employee can file an individual or class action lawsuit and potentially recover between $100 and $750 per consumer per data breach incident or their actual damages, whichever is greater. Second, employers must disclose the categories of personal information collected about employees and job applicants and the business purposes for which the information is used.
"Personal Information" Defined
"Personal information" is broadly defined under the CCPA. Presumably, personal employee information can include a sweeping array of data, including demographic information, personnel files, payroll records (pay stubs, timesheets, direct deposit information, tax withholding information, etc.), health insurance records, and training records. Personal information can also include information about employee internet usage on employer devices or geolocation information, which is gaining increasing significance as much of the state's workforce has settled into working from home during the pandemic.
Also notable is COVID-19-related data such as temperature checks, personal and family health information, travel history, and contact tracing.
Employee Protections on the Horizon
Unless the California legislature or electorate delays the extension of privacy protections to employees, workers can expect further protections under the CCPA beginning January 1, 2021. At that point, employers will be required to:
- Expand notice rights (including the right of access, deletion, and receipt of information; whether the information is shared with any third parties; and the specific categories of third parties with which the employer shares the information);
- Implement at least two methods by which employees and job applicants can submit verifiable "consumer requests;" and
- Track and respond within 45 days to employees' and job applicants' verified consumer requests.
Uncertainty looms as the enforcement deadline approaches, and for several years to come, workers and their advocates (along with businesses, courts, and the legislature) will grapple with how to apply the CCPA to our new COVID-19 world.
Workplace Issues in the Coronavirus Era
COVID-19 continues to alter our economy, our relationships, and our workplaces. Despite these unprecedented transformations, people fortunate enough to have kept their jobs face new interpretations and applications of employment laws. If you have questions about discrimination, harassment, or other workplace disputes, please contact us today. We are dedicated to monitoring changing rules and regulations and can help you protect and enforce your rights.