By now, you have no doubt heard about the passage of the California Consumer Privacy Act of 2018, going into effect January 1, 2020. This new privacy legislation will force many companies – whether headquartered in or out of California – into compliance with several onerous requirements. Some have called it California’s answer to the (notorious) GDPR. But what does this mean from an employment perspective?

It means that despite the title, the Act extends certain protections to California employees because it defines “consumer” as “any natural person who is a California resident.” Therefore, regardless of where your company is located, if it employs at least one individual who is living or domiciled in the state and also meets one of the thresholds below, it must comply at least with regard to all California residents, including employees.

Is your company caught by the Act?

Regardless of where your company is located in the world, it must comply with the Act if it handles personal information (PI) (which is broadly defined and specifically includes employment related information) of California residents (including employees) and exceeds one of the following thresholds:

  1. Annual gross revenues of $25 million (it is not yet totally clear whether this means California or global revenues);
  2. Collection for commercial purposes of the PI of 50,000 or more California residents, households, or devices annually (so, a data heavy company or one that simply operates a website could be caught even if it has just one employee in the state by virtue of collecting the data of California consumers and using such data for commercial purposes); or
  3. 50% or more annual revenue from selling California residents’ PI (which could capture even a small company).

Group companies may be covered by virtue of using the same branding, even if they individually do not exceed the above thresholds.

If your company is caught by the Act, what is required with regard to California employees?

  • Employees must be informed at or before the point of collection about the categories of PI collected and the purposes for which they will be used. Employers should consider whether they want to provide such information in a privacy policy notice that will need to be made available prior to collection from a job candidate. Employees should also be informed about their rights in any such privacy policy or notice. Regardless of whether a policy or notice is separately provided, certain mechanical requirements regarding the manner in which employees must be informed apply (for instance, provision of a toll free phone number).
  • No additional categories of PI may be collected without prior notice.
  • Employees may ask employers to disclose the categories and specific pieces of PI collected. This could include most HR records, including internal correspondence about the employee and references from prior employers and others – there is currently no carve out for such confidential records (although a carve out for trade secrets may be forthcoming).
  • Employers must provide such information free of charge.
  • Employees can ask for their PI to be deleted, subject to some exceptions for necessity which are unlikely to justify refusal to delete long after separation from employment.
  • Employees must be informed if their PI is being sold or disclosed to third parties for “business purposes” and can request information about the same. This is important to consider when sharing employee PI with vendors and even in case of a potential M&A transaction.
  • Employees can opt out of the sale of their PI (including, potentially, where the “sale” occurs because the employer shares the PI with a vendor who then commercializes it).
  • Employees may be entitled to statutory damages of up to $750 (or actual damages, if higher) per incident of unauthorized access, theft or disclosure (i.e., a breach) of certain types of non-encrypted or non redacted PI. NO actual injury or harm is required.
  • Employers cannot retaliate or discriminate or seek contractual waiver under the Act.

Are there monetary risks besides exposure to claims for statutory damages?

Yes, the CA Attorney General can order companies to pay penalties of up to $7,500 per intentional violation and up to $2,500 for failing to cure within 30 days of notice an unintentional violation. Twenty percent of such penalties collected by the State of California shall be allocated to a new “Consumer Privacy Fund” to fund (and presumably encourage) enforcement.

January 1, 2020 seems so far away. What should a company be doing now?

Dramatic changes to the Act are not expected. Everyone who recalls having two full years to prepare for the GDPR will appreciate that 18 months can fly by. All companies should actively monitor developments with regard to the Act and start thinking about whether employee PI is impacted in addition to any broader true consumer facing compliance efforts. This may include determining:

  • Whether the company is covered and if so, whether it will separately address California employees;
  • When and how to update employee documentation to address the information requirements;
  • Whether additional contractual language is required with any third parties, including vendors, receiving employee PI to exert better control on how those third parties utilize the PI received;
  • How to structure a process for data access requests from employees (which may need to be different than the process for others who are true consumers); and
  • What system modifications and awareness training will be required to implement all of the above.

Contact your Baker McKenzie employment lawyer for more details regarding compliance with the Act.