What CHROs Need to Know About the California...

The California Consumer Privacy Act of 2018 (CCPA) was introduced on June 21, 2018, and signed into law seven days later to head off a ballot initiative that could not have been amended by the State legislature.  The ballot initiative was generated over privacy concerns regarding social media and other tech platforms that collect and sell personal data.  However, sponsors of the initiative said they would withdraw the measure if the Consumer Privacy Act was enacted by June 29.  Legislators took that option, hastily drafted the Act and passed it before the deadline.

Unfortunately, what is primarily a consumer protection law: 

• Likely covers employee and applicant data given the broad definition of “consumer”
  • It also explicitly protects “professional or employment-related information”
• Effective January 1, 2020, with 12-month lookback period for data
• Covers California residents and employers with annual gross revenues of more than $25 million
• Creates new disclosure requirement and employee rights:
  1. Must disclose to covered employees what data will be collected and the purposes for which the data will be used
     • But does not require employee consent before data is collected
  2. Covered employees may request and access: 1) all personal information collected by their employer over the past 12 months; 2) the categories of sources from which the personal information was collected; 3) the business purpose for collecting the data; and 4) the categories of third parties with whom the information is shared
  3. Covered employees have a limited right to delete their data.  
     • But employers may refuse requests if they are legally required to retain the data, or if the the employer collected or retained the data to protect against deceptive or fraudulent activity or “[t]o enable solely internal uses that are reasonably aligned with the expectations of the [employee] based on the [employee’s] relationship with the [employer].”
• Employees have a limited private right of action for data breaches to recover the greater of actual damages or statutory damages of up to $750 per individual per incident.
• Employees also have the right to opt out of the “sales” of their information, but employers rarely sell employees’ personal information.

Outlook: The California legislature is considering technical changes to the law over the next few weeks and may consider potential amendments next year.  Other States could enact similar laws.