CCPA Change Grants Temporary Reprieve for California Employees

Earlier this month, California Governor Gavin Newsom signed into law Assembly Bill 25 (“AB 25”), a last-minute revision to the California Consumer Privacy Act (“CCPA”). AB 25 grants a one-year exemption to CCPA-covered for-profit entities as to some of the CCPA's requirements regarding the personal information of job applicants, employees, owners, and contractors. Importantly, this exemption does not extend to at least two major CCPA requirements, which still go into effect on January 1, 2020.

Due to the limited scope and duration of the AB 25 exemption, CCPA-covered for-profit entities collecting and maintaining data from their California-resident workers or owners must comply with CCPA requirements not temporarily exempted by AB 25 by January 1, 2020, and prepare for full compliance by January 1, 2021.

Reminder: Who is Covered by the CCPA?

For-profit entities that collect or receive personal information relating to California residents and which determine the purposes and means of processing that personal information will be subject to the CCPA—at least with respect to the personal information of those California residents—if they do business in California and one or more of the following applies:

• The entity has annual revenues of at least U.S. $25 million.
• The entity buys, sells, or shares or receives for commercial purposes, the personal information of at least 50,000 California residents, households, or devices.
• The entity receives more than 50% of its revenue from selling personal information about California residents.

The CCPA also applies to for-profit entities which (1) control, or are controlled by, a for-profit entity which meets the above criteria; and (2) shares common branding with such a for-profit entity.

Partial Exemption for Personal Information of Employees, Contractors and Owners

During AB 25's one-year exemption period, CCPA-covered job applicants, employees, owners, directors, officers, medical staff members or contractors will not have the right to request the disclosure, deletion, or portability of their personal information. To qualify for the AB 25 exemption, CCPA-covered entities must use such personal information solely within the context of an individual’s respective role with the organization (e.g., employee personal information collected and used solely within the context of person’s role as an employee).

AB 25 also temporarily exempts emergency contact information and personal information necessary for an entity to administer benefits for the same classes of individuals (employees, contractors, etc.), if the personal information is used solely in the context of maintaining an emergency contact on file or administering benefits, respectively. If personal information is not used solely within the specified context, the personal information is subject to all of the CCPA’s requirements.

However, even if personal information is used solely in the appropriate context, the AB 25 exemption remains limited in scope. It does not extend to at least two key provisions of the CCPA: 1) its core notice requirement; and 2) its private right of action for breaches due to negligent security measures.

Even while AB 25 is in force, CCPA-covered entities must still inform all California residents whose personal information they collect or maintain (including their employees) of the categories of personal information that the entity will collect and of the purposes for which the personal information will be used. CCPA-covered entities must inform California residents of these categories and purposes at or before the point of collection, regardless of whether the California resident is a job applicant, employee, owner, or contractor. CCPA-covered entities cannot subsequently collect additional categories of personal information without giving this required notice to California residents.

Similarly, the CCPA’s private right of action also still applies to personal information subject to the AB 25 exemption. This right of action allows individuals whose nonencrypted or nonredacted personal information has been subject to unauthorized access or disclosure due to a CCPA-covered entity's failure to implement or maintain reasonable security procedures or practices to sue for damages between $100 and $750 per incident or actual damages (whichever is greater). This right is limited by a 30-day cure period if the damages sought are at least in part statutory. However, no cure period applies if an individual sues solely for actual damages suffered as the result of such a failure to implement or maintain reasonable security procedures or practices.

Looking Forward

Although AB 25’s exemption reduces the CCPA’s requirements somewhat, its limited scope and duration means that for-profit entities with California-based workers or owners should carefully assess whether they are CCPA-compliant notwithstanding AB 25. If your business collects or receives the personal information of California residents—as customers, job applicants, employees, or contractors—assessing your CCPA compliance before the CCPA's effective date of January 1, 2020 remains critical. Without further legislative or executive action, the AB 25 exemption will expire on January 1, 2021.

If you or your organization have compliance questions about AB 25, other recent CCPA amendments, or about the CCPA generally, please contact Michael Gentry, Collin Weyers or another member of Reinhart’s Data Privacy and Cybersecurity Group.