California AG issues Revised Proposed CCPA Regulations Addressing Employment-Related Information
On February 10th, the California Attorney General’s Office published revised proposed regulations to implement the California Consumer Privacy Act (CCPA). The revised proposed regulations make a number of changes to the proposed regulations initially published by the Attorney General’s Office for public comment in October 2019. The proposed revisions include new content intended to address the application of the CCPA to what the proposed regulations refer to as “employment-related information” about individuals that are California residents, a topic which was not addressed in the original proposal. While the proposed regulations use the term “employment-related information,” as further discussed below, the provisions reach information about not only “employees” but also certain other specified groups, including contractors, owners, directors, medical staff, and officers.
Statutory Amendments. The provisions in the proposed regulations addressing employment-related information, which have not yet been finalized, are necessary to address amendments to the CCPA that were signed into law by Governor Gavin Newsome in October 2019, about the same time the initial proposed regulations were issued. The legislation sought to address uncertainty about whether employment-related information was subject to CCPA protections.
The October CCPA statutory amendments pertaining to employment-related information expressly address certain categories of personal information that is collected by a business about California residents “acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” Cal. Civ. Code 1798.145(h)(1). The terms contractor, director, medical staff member, officer, and owner all are CCPA defined terms. Cal. Civ. Code 1798.145(h)(2). The provisions apply to:
- Personal Information to the extent it is collected and used solely within the context of an individual’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business;
- Personal information that is collected by a business that is emergency contact information of such a person to the extent that the personal information is collected and used solely within the context of having an emergency contact on file;
- Personal information that is necessary for the business to retain to administer benefits for another person (such as a family member) to the extent that the personal information is collected and used solely within the context of administering those benefits.
The legislation provides that such information is subject to CCPA, while deferring application of most—but not all—CCPA requirements for this information until January 2021. Two CCPA provisions, however, did become effective January 1, 2020:
- A business that collects personal information shall, at or before the point of collection, inform the individual as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Such a business is prohibited from collecting additional categories of personal information or use personal information collected for additional purposes without providing appropriate notice.
- In the event of a data breach involving such personal information about such personnel, the CCPA data-breach-related private right of action applies just as it would for breaches of other personal information.
The Proposed Regulations. The Proposed Regulations largely track October’s legislative changes with respect to employment-related information. The proposed regulations, however, add a proposed definition of “employee benefits”, which would be defined to mean “retirement, health, and other benefit programs, services, or products to which consumers or their beneficiaries receive access through the consumer’s employer.”
The Proposed Regulations also provide that businesses collecting employment-related information must provide notice in compliance with the regulations notice provisions (Section 999.305) except that:
- The notice at collection of employment-related information does not need to include the link or web address to the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” since those provisions do not apply to employment-related information until January 2021); and
Other Exemptions. The amendments do not affect provisions of the CCPA which exempt certain information from CCPA coverage, including the use of consumer reports, regulated by the Fair Credit Reporting Act (FCRA), cases where a business’s health plan is subject to the Health Insurance Portability and Accountability Act (HIPPA), or the use of certain information subject to the Driver’s Privacy Protection Act (DPPA).
Businesses should consider the extent to which they may have notice obligations under the proposed regulations with respect to employment-related information, recognizing that there may be additional changes to the proposed regulations as a result of public comments on the new proposal. In addition, while the data breach liability provision does not create new data security obligations, this also may be an opportune time to review data security programs for compliance with existing California data security obligations.