The recently proposed amendment to the California Consumer Privacy Act (CCPA) should be a wake up call to those employers who are not already actively planning for the January 1, 2020 compliance deadline.

The amendment reaffirms that employers must (i) provide employees with notice of the categories of personal information collected and the purposes for which the information shall be used at or before collection; and (ii) implement reasonable cybersecurity safeguards to protect certain employee personal information or risk employee lawsuits, including class actions seeking statutory damages, for data breach under a private right of action provision. Employers cannot collect additional employee information or use collected information for different purposes than originally noticed without giving supplemental notice.

Although the amendment would grant a one-year moratorium before certain rights of employees contained in the original legislation are effective (e.g., right by employees to receive a copy of the personal information collected and to deletion in certain circumstances), the private right of action to recover minimum statutory damages or actual damages for unauthorized access and exfiltration due to a failure to maintain reasonable cybersecurity safeguards, and notice of collection requirements, were retained in the employment context.

In June 2018, California enacted the CCPA to protect California residents’ personal privacy from organizations that are in the business of buying and selling personal information or might otherwise collect personal information in their business activities.  For an in-depth analysis of the Act’s provisions, see here. The Act becomes effective on January 1, 2020, so businesses still have time to become compliant. EBG has prepared a compliance flow chart highlighting key thresholds and requirements, see here.

After the Act’s passage, objections were raised by the business community who complained about certain of the Act’s requirements. Of particular concern was that the Act covered personal information collected in the course of the employment relationship. Employers pushed for relief from the CCPA’s requirements as proposed in the original bill.

Recently, there has been a legislative effort to address these concerns from employers, with a proposed amendment providing that employee personal information collected “solely” for employment purposes is exempt from certain of the Act’s requirements until January 1, 2021.  See 7/8/2019 Senate Judiciary Committee and 4/19/2019 Assembly Committee on Privacy and Consumer Protection Reports. In other words, should this amendment pass, the rights by employees to deletion of and to receive copies of their personal information (see 1798.100(c); 1798.105)) and requirements of the Act other than 1798.100(b) (notice of collection) and 1798.150 (private right of action for data breach) would not apply to solely employment-related data for one additional year.

The legislators, however, retained intact the provision providing employees with a private right of action for data breach while also emphasizing that the cybersecurity protections apply to the collection of certain employee personal information as defined in Section 1798.81.5 (e.g., social security number, medical information, health insurance information, username and password). Although the exemption from certain of the Act’s requirements is garnering attention, the reaffirmation of the employer’s “duty to implement reasonable security practices and procedures” and providing a private right of action with minimum statutory penalties “per consumer per incident” (even in the absence of actual damage) for the failure to do so leading to a data breach is more notable.  Employers should immediately proceed to conducting a risk assessment of its collection and use of employee personal information and implementing reasonable cybersecurity safeguards. Employers should also prepare for providing employees with notices of collection practices required by January 1, 2020, and develop written policies and procedures concerning the collection and use of employee personal information.

Sanchita Bose, a 2019 Summer Associate (not admitted to the practice of law) in the firm’s Washington, DC office, contributed significantly to the preparation of this post.

Back to Workforce Bulletin Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Workforce Bulletin posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.