Due to recent developments, it appears that a California Consumer Privacy Act (which I wrote about on ERE) amendment exempting employee and job applicant data will not be as robust as once envisioned. More specifically, it appears that the proposed amendment — AB 25 — has been revised to provide that the CCPA will apply to the personal information of employees and other personnel. However, there are new nuances that employers should be aware of and prepare for now.
The Latest Version of AB 25
Previously, AB 25 would have completely exempted the personal information of employees, job applicants, and others that was used in the context of human resources and talent administration (see Section 1798.145 (g)(1) for the complete list). However, the California Senate Judiciary Committee has proposed a new version. Its version is likely to pass by mid-September 2019. Moreover, its version of AB 25 would exempt for one year (i.e., until January 1, 2021) the majority of the Act’s requirements as they relate to the personal information of the employee and job applicant data.
Its AB 25 version, however, does not apply to (a) the requirement to provide a privacy policy to employees/applicants at or before the point of collection of their personal information, or (b) the private right of action breaches arising from a business’ failure to implement and maintain reasonable security measures.
After the exemption period expires (January 1, 2021), businesses would then be subject to all of the requirements in the human resources and talent administration context.
How Your Company Should Prepare
While AB 25 may continue to be amended by the end of September 2019, it is highly unlikely that the law will never apply to employees/job applicants’ personal information. Therefore, businesses should:
- ensure your data mapping efforts include employees/job applicants’ personal information;
- update your applicable privacy policy and ensure it is delivered to the employee/job applicant beginning January 1, 2020; and
- ensure your security measures apply to employee/job applicant’s personal information, including in third-party systems of service providers