Proposed Amendment to California Consumer Privacy Act (CCPA) Reaffirms Employer Notice Requirement and Employee Private Right of Action for Failure to Implement Cybersecurity Safeguards to Take Effect January 1, 2020

The recently proposed amendment to the California Consumer Privacy Act (CCPA) should be a wake up call to those employers who are not already actively planning for the January 1, 2020 compliance deadline.

The amendment reaffirms that employers must (i) provide employees with notice of the categories of personal information collected and the purposes for which the information shall be used at or before collection; and (ii) implement reasonable cybersecurity safeguards to protect certain employee personal information or risk employee lawsuits, including class actions seeking statutory damages, for data breach under a private right of action provision. Employers cannot collect additional employee information or use collected information for different purposes than originally noticed without giving supplemental notice.

Although the amendment would grant a one-year moratorium before certain rights of employees contained in the original legislation are effective (e.g., right by employees to receive a copy of the personal information collected and to deletion in certain circumstances), the private right of action to recover minimum statutory damages or actual damages for unauthorized access and exfiltration due to a failure to maintain reasonable cybersecurity safeguards, and notice of collection requirements, were retained in the employment context.

In June 2018, California enacted the CCPA to protect California residents’ personal privacy from organizations that are in the business of buying and selling personal information or might otherwise collect personal information in their business activities.  For an in-depth analysis of the Act’s provisions, see here. The Act becomes effective on January 1, 2020, so businesses still have time to become compliant. EBG has prepared a compliance flow chart highlighting key thresholds and requirements, see here.

After the Act’s passage, objections were raised by the business community who complained about certain of the Act’s requirements. Of particular concern was that the Act covered personal information collected in the course of the employment relationship. Employers pushed for relief from the CCPA’s requirements as proposed in the original bill.

Recently, there has been a legislative effort to address these concerns from employers, with a proposed amendment providing that employee personal information collected “solely” for employment purposes is exempt from certain of the Act’s requirements until January 1, 2021.  See 7/8/2019 Senate Judiciary Committee and 4/19/2019 Assembly Committee on Privacy and Consumer Protection Reports. In other words, should this amendment pass, the rights by employees to deletion of and to receive copies of their personal information (see 1798.100(c); 1798.105)) and requirements of the Act other than 1798.100(b) (notice of collection) and 1798.150 (private right of action for data breach) would not apply to solely employment-related data for one additional year.

The legislators, however, retained intact the provision providing employees with a private right of action for data breach while also emphasizing that the cybersecurity protections apply to the collection of certain employee personal information as defined in Section 1798.81.5 (e.g., social security number, medical information, health insurance information, username and password). Although the exemption from certain of the Act’s requirements is garnering attention, the reaffirmation of the employer’s “duty to implement reasonable security practices and procedures” and providing a private right of action with minimum statutory penalties “per consumer per incident” (even in the absence of actual damage) for the failure to do so leading to a data breach is more notable.  Employers should immediately proceed to conducting a risk assessment of its collection and use of employee personal information and implementing reasonable cybersecurity safeguards. Employers should also prepare for providing employees with notices of collection practices required by January 1, 2020, and develop written policies and procedures concerning the collection and use of employee personal information.

Sanchita Bose, a 2019 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office, contributed significantly to the preparation of this post.