The California Consumer Privacy Act (CCPA) has received a lot of well-deserved coverage lately as its enactment date draws closer. While the CCPA is a state law, its provisions apply to companies around the world that do business with at least one of California's 40 million residents.
What hasn't received enough attention, however, is one of CCPA's key amendments: Assembly Bill 25 (AB-25).
AB-25 redefines certain terms in the original act, awards certain rights to employees and expires in 2021. So, if your company collects the personal information of employees or job applicants, continue reading to learn more about AB-25 and how it impacts your processes.
Redefining the Term "Consumer"
As enacted, the CCPA’s definition of “consumers” was so wide that it would also include non-consumers such as employees and job applicants. This is an issue because employers must collect so much more personal data about their employees than their consumers.
RELATED: California Consumer Privacy Act (CCPA): What You Need to Know Before 2020
To fix this, the legislature proposed Assembly Bill 25 (AB-25) which states:
(2) ‘Consumer’ does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor or agent of the business.
Put simply, AB-25 will exclude applicants, employees, contractors or agents from the current definition of “consumers” in the CCPA. However, AB-25 will do more than redefine the term.
Some Rights Still Apply
Despite excluding job applicants and employees from the term consumer, AB-25 will continue to uphold some rules. According to AB-25:
- Employers are still required to inform employees and applicants of the categories of personal information they intend to collect and reasons why.
- Employees and applicants are still allowed to pursue private civil action if their personal data is hacked and compromised.
- Employers are subjected to the same penalties and fines for violating CCPA no matter if the victim is a consumer or an employee.
And Some Rights Don't Apply
Certain consumer rights provided by the CCPA will not be extended to employees or applicants.
Although employees will have the right to know what personal information their employer is collecting about them and why, they will not have the right to request access to the information or request that it be deleted.
RELATED: How to Report a Data Breach: 5 Critical Steps
For employers, this means that you will not need to figure out or track what “specific pieces” of information you have collected about your employees.
Sunset Amendment: Expires 2021
One important caveat of this amendment is its expiration date.
AB-25 exempts employers for one year from abiding by the CCPA with respect to information collected:
By a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.
Since AB-25 expires on January 1, 2021, the legislature is committed to developing legislation specifically pertaining to employee rights. This means that they have one year to come to a conclusion on how the CCPA should protect the personal data of employees and applicants.
In essence, AB-25 bought the legislation more time to come up with rules specifically for employee personal data.
What Employers Should do for Now
In the meantime, employers should stay on top of progress. Read new proposals and consider how it may impact your data collection, data storage and internal investigations.
Begin organizing and analyzing the personal information you have collected thus far. If your employees also interact with your company as a consumer, segregate the data.
Update your incident response plan to appropriately address and respond to data breaches. Similar to the GDPR, the CCPA has very strong, strict regulations for how companies are to address breaches and inform those who have been affected.
If you don't have an incident response plan, you'll need one to comply with CCPA. Download our incident response plan template for guidance.
Employers should also consider updating their onboarding materials and employee handbooks. You will be obligated to tell employees and applicants the categories of information you collect, and this should be addressed in your hiring documents.