November 3, 2020: On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which extends the exemption on employee rights until January 1, 2023.

Updated October 19, 2020: On September 30, 2020, the California Attorney General signed AB 1281 into law extending the exemption on employee rights until January 1, 2022.

In October 2019, the California legislature passed Assembly Bill 25, an amendment that exempts employers from complying with certain CCPA requirements when it comes to the data of employees and job applicants. AB 25 was set to sunset on January 1, 2021, after which employee personal information would be granted the same rights and protections as consumer personal information as set forth by the CCPA. In the rush to comply with the CCPA this year, many businesses took advantage of this amendment and put these employee data requirements on the backburner. However, this deadline was recently extended until January 1, 2022. 

Companies will be able to continue to delay compliance efforts with this exemption for another year, as the California Attorney General recently signed Assembly Bill 1281 into law, extending the exemption on employee rights until January 1, 2022. Employee information under the CCPA covers a large swath of data and significant individual rights, so despite having another year to prepare, organizations should not delay compliance efforts for employee information too long. Keep reading to ensure your organization understands all the CCPA’s requirements for employee personal information and is prepared to comply before they go into effect.

Assembly Bill 25: The Employee Exemption

Assembly Bill 25 was passed by the California legislature on October 11, 2019, temporarily excluding employees and job applicants from a majority of the CCPA’s consumer rights requirements. This reprieve exempted CCPA-covered businesses from having to provide the same rights (e.g., the right to know, delete, and opt-out) to employees and job applicants as it did to consumers for one year. This exemption only applies when an employee’s personal information is collected and used in the context of the individual’s role as an employee.

Assembly Bill 25 was expected to sunset at the end of this year, giving businesses only until December 31, 2020 to ensure the policies, procedures, and processes they have in place to handle consumer data are extended to employee and job applicant data, as well. This date has now been extended a full year under Assembly Bill 1281, which was proposed by the California legislature on August 30, 2020 and signed by the California Attorney General exactly one month later. 

Starting on January 1, 2022, the rights afforded by the CCPA that will extend to employees and job applicants include:

• The Right to Know: Employees and job applicants will be able to request the categories of personal information an employer has collected about them, along with the purpose for collecting such personal information. Upon verification of the employee or job applicant’s identity, businesses must provide the personal information requested.
• The Right to Deletion: Employees and job applicants will be able to request that an employer deletes the personal information collected about them. There are exceptions available to employers to reject certain deletion requests, such as contractual or business obligations, instances when it is absolutely necessary to maintain the personal information (e.g., payroll or benefits), or cases where it would adversely affect the rights of others.
• The Right to Opt-Out: Employees and job applicants have the right to opt-out of the sale of their personal information by an employer to a third-party. While employers don’t typically sell their employees’ personal information, the broad definition of “sale” under the CCPA could include the transferring of personal information in certain instances (e.g., bankruptcy, mergers, acquisitions, etc.). Businesses will need to have a clear understanding of what constitutes as a “sale” to ensure compliance.
• The Right to Non-Discrimination: Businesses cannot discriminate against employees and job applicants who exercise their rights by denying goods or services, charging different prices, or providing a different quality of goods or services. Therefore, businesses will not be able to fire an employee or decline promotion opportunities for employees that exercise their rights under the CCPA.

Assembly Bill 25 did not exempt employers from two provisions of the CCPA, which were immediately applied when the law took effect on January 1, 2020.

1. The Right to Notice: Businesses must inform employees and job applicants at or before the point of collection of the personal information that they are collecting and disclose of how their personal information will be used.
2. The Right to Seek Statutory Damages: Employees and job applicants can bring a civil action against a business if their personal information is accessed, stolen, or disclosed without their consent, resulting from a lack of reasonable security practices and procedures. These individuals will have the right to seek damages ranging from $100-$750 per incident, or the actual damages incurred, whichever is greater. 

Who is Included under Assembly Bill 25?

Under the CCPA, a consumer is defined as a “natural personal who is a California resident.” But this broad definition caused confusion among businesses who were unsure if the consumer requirements of the CCPA extended to their California employees the same way it did to their California customers. Assembly Bill 25 clarified the confusion surrounding the definition by giving rights to all individuals that a business collects personal information from, including:

• Current and former employees
• Job applicants
• Contractors
• Owners
• Directors
• Officers
• Medical staff members

What Personal Information is Included under Assembly Bill 25?

Come January 1, 2022, any personal information a business collects, stores, or uses from these workforce individuals that can be used to identify them will become subject to the CCPA. From an employer perspective, the following types of data collected will soon be considered “personal information” under the CCPA:

• Job applications, resumes, cover letters, and CVs
• New hire/onboarding paperwork (including social security number, driver’s license, and mailing address), background checks, and IRS Forms
• Payroll information, including bank account numbers
• Employee medical benefits plans and 401(k) packages
• Photos used for identification badges, organizational charts, and other marketing purposes
• Employee or job applicant information obtained from recruiting websites or other vendors supporting recruiting activities
• Information from company devices and vehicles (including online browser activity and geolocation data)
• Employee personal records, such as performance evaluations, disciplinary records, engagement surveys, or development questionnaires
• Employment contracts and independent contractor agreements

In addition, emergency contact information collected by employers and information collected necessary to administer benefits to someone related to the employee or job applicant is also included.

Preparing for January 1, 2022

This past year, companies in scope of the CCPA hurried to finalize compliance around consumer personal information to meet both its effective and enforcement dates. Now, those companies that sidelined addressing employee personal information requirements will need to start their compliance efforts once again to meet the January 1, 2022 deadline. Here is a checklist you can go through to help you better prepare for these new employee personal information compliance obligations.

	Identify and inventory all information that may be considered the personal information of employees or job applicants via data mapping
	Review existing data security policies and procedures to guarantee reasonable security practices are in place to protect employee and job applicant information
	Implement at least two methods by which employees and job applicants can submit verifiable requests concerning their rights under the CCPA
	Ensure the proper processes are in place to respond to verifiable employee and job applicant requests within 45 days
	Inventory all relevant third-party contracts and assess them in order to determine if their existing privacy and security controls are adequately protecting employee data
	Update contracts with the third parties that your company shares employee or job applicant personal information with, such as benefits providers, payroll companies, and staffing vendors
	Establish which staff member or department will be responsible for handling employee and job applicant rights requests and if training will be necessary
	Determine whether existing employee, job applicant, or contractor agreements, manuals, or handbooks should be updated to include the right to know, access, delete, and non-discrimination
	Create a data retention process to comply with the CCPA’s 12-month look-back requirement for employee and job applicant information

Just months before the CCPA went into effect in January 2020, the California legislature passed Assembly Bill 25, narrowing the scope of the CCPA by exempting the personal information collected from employees and job applicants from certain rights. Assembly Bill 1281 will effectively replace Assembly Bill 25 starting on January 1, 2021. While the employee exemption extension grants organizations more time, the employee information and employee rights in scope are significant. Starting on compliance efforts now will ensure your company has ample time to prepare and is ready to ring in the new year come December 31, 2021.

Get more insights into the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.