Here's What California Employers Should Know About CCPA Compliance

California has one of the nation's most stringent privacy laws and the first that applied to employees. The California Consumer Privacy Act (CCPA) has been amended several times since it passed in 2018—and employers should be aware of how those changes affect the workplace.

Employers should also review how the COVID-19 pandemic may have changed the way they collect and store employee data.

Preparing for Deadlines

The CCPA provides consumers—including employees—certain rights regarding the personal information that businesses collect about them. Since Jan. 1, 2020, covered employers must provide notice to employees, job applicants and independent contractors when collecting their personal information for employment, recruitment and contracting purposes. Employers can't use the personal information they collect for any reason that is not provided in the notice.

Usama Kahf, an attorney with Fisher Phillips in Irvine, Calif., said the first order of business for companies is determining if they are covered by CCPA and ensuring they have complied with the original mandate. The CCPA generally covers companies that do business in California (even online) and meet one of the following criteria:

• Have a gross annual revenue of at least $25 million.
• Annually buy, receive or sell the personal information of 50,000 or more California consumers, households or devices.
• Derive 50 percent or more of their revenue from selling California consumers' personal information.

Employers should note that the CCPA has been amended several times. Most recently, in November 2020, voters passed Proposition 24—the California Privacy Rights Act (CPRA)—which created the California Privacy Protection Agency to implement and enforce the law.

Many requirements under the CPRA related to employee and job-applicant data will take effect on Jan. 1, 2023, but the act has a 12-month "look-back" provision. That means that on Jan. 1, 2023, companies doing business in or recruiting in California (whether they are based in the state or not) need to have mapped data and be able to provide disclosures on all information the company has retained on an employee or applicant as far back as Jan. 1, 2022. This includes not just personnel files and payroll data, but key swipe records, IT requests, network logs and geolocation data. So covered employers should be planning for the deadline now.

Some employers that don't deal directly with consumers may be late to the game. "There is this myth that this a 'consumer' law, and a misunderstanding by some HR professionals that employees are not consumers," Kahf said. "But employees have always been consumers under this law."

Given the CCPA's reach, compliance is not as simple as distributing a template and updating a one-hour training for those in the company with access to consumer and employee data. Preparing for compliance could take months and involve multiple departments.

Preparing for the 2023 deadline will involve full-spectrum data mapping—understanding what data is tracked and retained by what departments, for how long, and how and where it is stored. "This goes well beyond what HR has on an employee," Kahf said. For instance, HR may be surprised to learn that the marketing or finance department or a particular manager is collecting data.

The CCPA also requires training for all individuals responsible for handling consumer and employee inquiries about a company's privacy practices, but since the enforcement agency is still being formed, there are no detailed regulations yet.

Companies will need to decide if they want to comply with the California law across their workforce, or just for their California employees. Additionally, several states, including Washington, New York, Virginia and Minnesota, are eyeing similar legislation, observed Marina Gatto, an attorney with Perkins Coie in Palo Alto, Calif. That will create a patchwork of different requirements and lots of moving pieces.

"A lot of companies are hoping for a federal law that will swoop in and level-set the playing field, but I would not recommend waiting for that," she said.

COVID-19 Pandemic Impact

Arlene Yang, an attorney with Meyers Nave in San Diego, noted that the way some companies have collected and stored employee information may have changed during the pandemic, since so much work is being done remotely.

"Companies are also collecting health information on their employees like never before," she said, including daily temperature checks and symptom screening for employees working onsite. This data is covered by the CCPA.

Employers should think long and hard about what information they really need to collect and how long they need to keep it, with the goal of "slimming down" the amount of data that needs to be managed, Yang recommended.

The pandemic may also prompt employers to review their general data hygiene practices, since many employees are working from home on multiple or shared devices and may store sensitive data in close proximity to family members.

Data breaches have increased since the pandemic began, noted Nicky Jatana, an attorney with Jackson Lewis in Los Angeles. A study by LexisNexis Risk Solutions found that 45 percent of U.S. survey respondents have had their personal information compromised through a data breach. The rise in e-commerce, as consumers shop from home (and potentially from employer-owned devices), provides even more opportunity for fraud, Jatana said.

Yang recommended taking an individualized approach to CCPA compliance. "Expect hiccups," she said. "These issues can be more complicated than they appear at the start. Start now so that you are not caught scrambling."

Focusing on compliance might be overwhelming for many employers as the pandemic persists. "Don't be afraid to reach out to ask for help," Gatto said. "Once you have a handle on this, it will be so beneficial."

Susan Kostal is a freelance writer and editor in San Francisco.