The California Consumer Privacy Act (CCPA) just went into effect on January 1, 2020. If your business has operations in California, the new law may require you to provide notices to employees, update privacy policies on websites and amend contracts with vendors who handle employee data—including data relating to your employee benefit plans.
Employers Subject to the CCPA
The new law casts a wide net. It applies to any for-profit business (including entities that control or are controlled by the business and share common branding with the business) that:
- Collects information about California residents or households (defined as “personal information”);
- Determines the purposes for processing the personal information, alone or jointly with others;
- Does business in California or with any California resident; and
- Meets any one of the following requirements:
- has annual gross revenues in excess of $25 million;
- alone or in combination, annually buys, sells, receives or shares personal information of 50,000 or more California consumers (or 50,000 or more devices or households); or
- derives 50% or more of its revenue from selling California consumers’ personal information.
The CCPA gives California residents certain rights with respect to their data. These rights will vary, depending on whether a business merely collects and processes information about California residents and households or if it also “sells” the information.
Individual Rights: The CCPA gives California residents the following rights:
- The right to request disclosures of data collected about the California resident (also known as the “right to know”)
- The right to access the personal information that the business has collected about the California resident
- The right to seek deletion of data that the business has collected, with certain exceptions (also known as the “right to be forgotten”)
- The right to opt out of any sale of information—to the extent that the business sells (or is deemed to be selling) personal information
- The right not to be discriminated against if the California resident exercises any rights under the CCPA (also known as the “right to equal services”)
- Contracts with Vendors: If a business subject to CCPA uses a third party to handle any personal information about California residents or households, the business must obtain certain contractual promises from the third party so that the third party’s handling of the data will not be deemed a sale for CCPA purposes. Specifically, the contract with the third party must prohibit sale of the information or use in any manner other than to provide the agreed upon services to the business and must also include a certification that the third party understands and will comply with those restrictions. If you do not have the specific language in place, the vendor’s access to the information may be deemed a “sale” of information that must be disclosed to employees and potentially subject to an opt-out right.
Application of the CCPA to Employment Data
The CCPA defines “personal information” to specifically include employment-related information. However, before the California legislature adjourned for 2019, it passed an amendment to the CCPA that provides a one-year partial exemption for employment data. As amended, the CCPA during 2020 requires that a business must give employees and job applicants in California the Notice of Collection that describes the categories of data that the business collects, the purposes for the collection and the disclosures that it makes of that data. However, the business does not have to respond to individual rights requests until 2021.
Application to Employee Benefits
Employee benefit programs inevitably include personal information, such as names of employees, names of spouses, dependents and other beneficiaries, and possibly information associated with those individuals. For programs subject to ERISA, there is certainly an argument that CCPA is preempted by ERISA—but California has a history of challenging ERISA preemption claims, and until courts work through that issue, it’s an open question. Moreover, if your company provides any benefit programs that are not subject to ERISA (for example, a dependent care FSA, an HSA contribution program or a salary continuation program for those on short-term disability leave), no pre-emption argument is available.
Penalties Under the CCPA
Non-compliance with the CCPA will be costly. The California Attorney General is authorized to enforce the CCPA with penalties of up to $2,500 per violation per employee. Additionally, consumers whose data is the subject of a data breach can sue for between $100 and $750 per incident if the business failed to implement reasonable security procedures. The CCPA expressly voids any arbitration provision or class action limitation on this right.
Steps to Take Now
If your business is subject to CCPA requirements, consider the following steps with respect to your employment data and employee benefit programs:
- Develop and provide a Notice of Collection to your employees. This should be given to all employees working in California as soon as it is finalized, and on a going-forward basis to all newly-hired employees in California on their first day of hire.
- Identify the ways you accept applications from prospective employees and determine how to provide them with the Notice of Collection. For example, if you accept applications through your website, you could include a prominent link to the Notice of Collection on the page where you post job openings.
- Identify all vendors who have access to employee data and amend your contracts to address the specific CCPA requirements. This could include, for example, payroll vendors, HRIS vendors and third-party administrators of your employee benefit programs.
- Begin developing policies and procedures for responding to employees who wish to exercise their individual rights beginning in 2021.
We’re Here to Help
For assistance with CCPA compliance or questions about the CCPA generally, please contact Norbert Kugele or any member of Warner’s Employee Benefits Practice Group.