Skip to Main Content.

Background

Not to be outdone by Europe’s General Data Protection Regulation (“GDPR”), California recently passed its newest privacy law. On June 28, California Governor Jerry Brown signed into law the California Consumer Privacy Act of 2018 (CCPA). The CCPA does not go into effect until January 1, 2020, but, as experienced with the GDPR, 18 months is a short amount of time to implement the policies and processes necessary for compliance. While the focus has largely been on the relationship between businesses and consumers, it is worth exploring the impact of the CCPA on the employer/employee relationship.

This is the first in a two-part series addressing the CCPA in the context of the employer-employee relationship.

Does the CCPA apply to employers?

Probably. The CCPA was crafted to ensure, subject to certain exemptions, the privacy of Californians’ personal information, as defined, through the establishment of various consumer rights, including the right to know what personal information is being collected about them; the right to know if the personal information is being sold and to whom; the right to access their personal information; the right to control the sale of their personal information; and the right to equal service and price, even if they exercise these rights.

Although the CCPA was enacted as a consumer privacy law, the definition of “consumer” is broad and makes the law applicable to any natural person who is a California resident. In addition, the definition of “personal information” includes “professional and employment-related information.” Employment-related information includes a wide range of employment records, such as personnel files. When the definitions of “consumer” and “personal information” are considered together, the CCPA is likely applicable to employers with employees who are California residents. Further, the legislative history does not indicate that the lawmakers intended to exempt employees from the protections.

The law was enacted quickly—from text to passage within one week, in an attempt to preempt a more stringent ballot measure—and contains numerous errors and ambiguities. Legislation to correct errors and reduce ambiguities is expected prior to its effective date. Moreover, the law calls for the California attorney general to solicit public participation to adopt regulations relating to implementation of the CCPA. Therefore, it is possible that the California legislature will modify the law to expressly include (or exclude) employers, or the California attorney general will issue regulations addressing the issue.

Does the CCPA apply to employers located outside of California?

Yes. Like the GDPR, the CCPA has extraterritorial applicability so that it applies to companies located outside the state of California. Thus, provided the employer otherwise meets one of the thresholds to CCPA applicability discussed below, and as long as one employee is a California resident, the CCPA will apply to that Californian’s employer with respect to that employee.

Are there any minimum thresholds for applicability of the CCPA?

Yes. Not all companies are covered by the CCPA. The CCPA requirements extend to companies that (1) have annual gross revenues exceeding $25 million; (2) annually buy or receive for commercial purposes, or sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or (3) derive 50 percent or more of their annual revenues from selling consumers’ personal information.

Takeaway

The California legislature still has time to amend the CCPA and provide clear guidance as to whether employers are covered. In the meantime, covered employers with employees who are California residents should begin preparations for compliance with the CCPA.

What is required for employers to comply with the CCPA and the consequences of non-compliance are the subject of Part 2 in this series, which is forthcoming.

For more information, contact Brice Smallwood, or any other member of Frost Brown Todd’s Privacy and Information Security Team.