AB-25: The Temporary CCPA Fix for Employers
As initially drafted, the California Consumer Privacy Act, or CCPA, included broad privacy rights for all California residents, including not just consumers – but also employees. Given the broad scope of the CCPA, the law provided employees with certain privacy rights that would have made life incredibly difficult for employers. Over the past 12 months, in an effort to quell the uprising amongst California business owners, the State Legislature has struggled to find a balance amongst consumer rights, employee privacy concerns and practical business needs. The temporary compromise is found in AB-25, which was signed by Governor Newsom last week, and attempts to provide some protection for California employees in the short-term – while a permanent solution can be developed.
What Does AB-25 Do?
AB-25 mainly exists to address an ambiguity in the CCPA that boils down to this question -"Are Employees Consumers?" Under the initial law passed, the short answer is "yes" giving employees all rights under the CCPA. However, for businesses, AB-25 exempts them from complying with the CCPA regarding personal information about a natural person acting as a job applicant, contractor, director, medical staff member, employee, officer or owner if the information is used for (a) employment purposes; (b) having an emergency contact on file; or (c) administering benefits to the employee and their covered relatives.
This exemption would not extend to either (a) the business' responsibility to inform a consumer as to the categories of personal information it collects and for what purposes it is used on the request of the consumer, or (b) the right of an employee to sue the business in the event of a data breach. Those rights cannot be waived under the CCPA. However, this provision exempting the information of individuals working for a business is set to expire on its own terms as of January 1, 2021.
However, AB-25 also addresses various other "housekeeping matters," such as aspects of the consumer request standards, including some small guidance on authentication and the minimum standards of the business's methods for receiving these requests. Specifically, a business can require that the requests be made through the account the user has with the business (if the account exists), and may "require authentication of the consumer that is reasonable in light of the nature of the personal information requested." AB-25 also requires that businesses inform consumers of their rights to request disclosures of specific personal information and deletion of personal information.
What Do Businesses Need to Do?
Essentially, what businesses need to do in light of this amendment is continue with preparations for the CCPA. Whether that includes data mapping, ensuring that personal data is safeguarded or otherwise putting in a response process for consumers to request information about, or the deletion of their data. While there has been some guidance added regarding authentication, it follows the general rule of thumb that authentication should be limited to what the consumer has already revealed to the business.
Businesses must also be aware that they must disclose to their employees, at the time of collection, exactly what information is being collected, how it is being collected, the business purpose for collecting such information, and to whom the collected personal information is being shared. This will require revisions to a company’s employment agreement, application, and employee handbook.
Finally, for job applicants, contractors, or employees, this does not necessarily permit a business to maintain a file in the event an applicant is not hired or an employee ceases their relationship, nor does it mean that businesses can ignore requests from contractors or employees. Instead, businesses should be ready to limit employee or contractor requests to categories of information and how they will be used.
What happens after the year expires?
While there is always a chance that the state will extend or make the employee exemption indefinite, there are never any guarantees that the legislature will act to do so.
After the January 1, 2021 deadline, without any action by California's legislature, employees, applicants and contractors can feasibly request anything that any other California resident can request, including the deletion of their information, and the right to request a business disclose information regarding the employee's information.
Our firm has created a 90 day CCPA compliance program where our team will collaborate with you to determine a scalable, practical, and reasonable way for you to meet your needs, and we will provide a free initial consultation.