The First Consumer Privacy Law in the U.S. Is Coming: Are You Ready?

The California Consumer Privacy Act is a new privacy regulation that will go into effect on January 1, 2020, and it is the first law in the United States that will closely align with the General Data Protection Regulation. The California Consumer Privacy Act seeks to protect all California residents with respect to any personal information that relates to them. As such, the new legislation is causing a great deal of confusion among employers. Specifically, it could impose considerable compliance burdens on every employer that employs California residents — not just businesses that are located in California. This compliance risk, however, is not guaranteed.

The confusion stems from the vagueness surrounding the applicability of the California Consumer Privacy Act to employee and job applicant data. As a result, this vagueness is also creating a waiting game for employers, who are trying to determine the best approach to California Consumer Privacy Act compliance. Here are some key considerations regarding your strategic options:

Does the California Consumer Privacy Act apply to employee and job applicant data? There are currently two views on this topic. The first view is that the California Consumer Privacy Act’s plain language is vague and broad enough that it arguably covers employee and job applicant data. The second view is that the California Consumer Privacy Act offers many indications that the California legislature never intended for employee and job applicant data to be covered by it. For example, the words “employer” and “employee” do not appear in the entire statute. Given the disconnect in differing views, it should come as no surprise that there is a pending bill addressing this topic.

California Assembly Bill 25 (“AB 25”) would clarify this topic by adding an exclusion to the California Consumer Privacy Act’s definition of “Consumer”:

Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of … the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of … the business.

If signed into law, AB 25 would remove employee and job applicant data from the CCPA’s purview. If it is not enacted, a regulatory clarification from the California’s Department of Justice could also do so.

What is the impact on employers if the California Consumer Privacy Act applies employee and job applicant data? The CCPA is intended to provide California residents with more control over their personal information. This is accomplished by affording them new individual rights. These include the right to:

Access personal information
Delete personal information
Opt-out of the sale of personal information

The California Consumer Privacy Act also permits California residents to bring a private right of action against a business under certain circumstances, such as when the business suffers a data breach. Therefore, waiting to see if employee and job applicant data is subject to California Consumer Privacy Act may not be an option for some employers. Moreover, other states have already drafted and are discussing the enactment of a similar data privacy legislation, like the CCPA.

How Employers Can Prepare

Once an employer decides to proceed with implementing a California Consumer Privacy Act compliance program for employee and job applicant data, it should consider taking the following steps:

Establish an individual data rights submission method: Employees and job applicants will need a method to submit requests to exercise their rights.
Update your website’s privacy policy: Ensure that your business’ website privacy policy provides the information required by the California Consumer Privacy Act, including how personal information of California employees and job applicants are handled.
Develop or revise applicable policies and procedures: Revisit policies and procedures to verify, respond to, and document personal information requests. Privacy and security policies may also need to be revised (or developed if they do not currently exist) to address the aspects of the California Consumer Privacy Act beyond personal information requests.
Address information security: Review current information security practices and procedures for employees and job applicants and address any gaps.
Perform awareness and operational training: Provide a general awareness to all company employees about the California Consumer Privacy Act, and specifically train employees responsible for responding to California Consumer Privacy Act-related personal information requests.

What Employers Should Expect

Since the California Consumer Privacy Act’s enactment, many legal and business representatives, among others, have expressed their concerns of the California Consumer Privacy Act’s vagueness regarding the applicable to employee and job applicant data. Therefore, I believe it is reasonable to expect AB 25 to become law. However, the timing of its passage and enactment is still very much an unknown. In addition, looking into the future, beyond the effective date of the CCPA, one thing is clear. There will be more states that pass privacy regulations like the GDPR.

As such, this is not a time for idleness. Instead, employers should proactively begin preparing for the CCPA. The cost of non-compliance is simply too high. It can have risks beyond monetary value, including negative effects on an employer’s employees and job applicants, brand and future success.

With less than six months until the CCPA goes into effect, now is the time for you and your company to act.

Follow along over the next several months and visit the International Association of Privacy Professionals’ (IAPP) Privacy Tracker for updates.

How Employers Can Prepare

Once an employer decides to proceed with implementing a California Consumer Privacy Act compliance program for employee and job applicant data, it should consider taking the following steps:

Establish an individual data rights submission method: Employees and job applicants will need a method to submit requests to exercise their rights.

Update your website’s privacy policy: Ensure that your business’ website privacy policy provides the information required by the California Consumer Privacy Act, including how personal information of California employees and job applicants are handled.

Develop or revise applicable policies and procedures: Revisit policies and procedures to verify, respond to, and document personal information requests. Privacy and security policies may also need to be revised (or developed if they do not currently exist) to address the aspects of the California Consumer Privacy Act beyond personal information requests.

Address information security: Review current information security practices and procedures for employees and job applicants and address any gaps.

Perform awareness and operational training: Provide a general awareness to all company employees about the California Consumer Privacy Act, and specifically train employees responsible for responding to California Consumer Privacy Act-related personal information requests.

What Employers Should Expect

With less than six months until the CCPA goes into effect, now is the time for you and your company to act.

Follow along over the next several months and visit the International Association of Privacy Professionals’ (IAPP) Privacy Tracker for updates.