Retailers Should Consider Impact of California Consumer Privacy Act on Employee Data

Retailers and other employers with operations in California should be aware of the potential application of the California Consumer Privacy Act (“CCPA”) to data collected about California employees.  Although the CCPA refers to “consumers,” as currently drafted the CCPA’s definition of a “consumer” also will apply to California-based employees.

As we previously reported, the CCPA grants consumers various rights with regard to their personal information held by businesses.  This is part of a multi-part series addressing frequently asked questions concerning the CCPA.

Which employers will have to comply with the CCPA?

Employers with employees in California will need to comply with the CCPA if their business falls into one of the following three categories:

1. Their business buys, sells, or shares the “personal information” of 50,000 “consumers” or “devices”;
2. Their business has gross revenue greater than $25 million; or
3. Their business derives 50% or more of its annual revenue from sharing personal information.

What are the key implications of having to comply with the CCPA?

Employers who have to comply with the CCPA will be subject to the CCPA’s:

1. Expansive definition of “personal information”;
2. New notice requirements for California-based employees, which notices describe the employer’s collection of and use and disclosure of personal information;
3. New data privacy rights for California-based employees, including the right to access, delete, and opt out of the “sale” of personal information;
4. Special rules for the collection and use of personal information of minors;
5. Requirement to implement appropriate and reasonable security practices and procedures;
6. Enforcement provisions, including a statutory damages framework; and
7. Private right of action for employees.

The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  For employers who have not had to comply with the European Union’s General Data Protection Regulation (“GDPR”), the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies. Employers who have had to comply with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP has also published a Practical Guide to the CCPA, which provides an overview of the law and its requirements.  In addition, for employers subject to the CCPA, BCLP offers a complete compliance CCPA program to employers that includes a formal gap assessment as well as policies, procedures, and protocols to close identified gaps.