California Consumer Privacy Act Will Apply to Employers in 2023

In this episode of The Workplace podcast, CalChamber employment law expert Matthew Roberts and CalChamber policy advocate Ashley Hoffman discuss the current state of the California Consumer Privacy Act (CCPA) and how it will affect employers starting January 1, 2023.

What is the California Consumer Privacy Act?

Initially created in 2018, the CCPA went into effect on January 1, 2020, Roberts says.

The CCPA was intended to provide data protection rights to California consumers, such as the right to know what data about a consumer is being collected or the right to certain protections of personal data, Hoffman explains. The law also provides some remedies in the event of a data breach and a right to inspect records. Certain companies have a few rights, for example, to opt out of some selling of information, right to request deletion of information, etc.

While the law does not apply to every business in California, it does apply to three categories of for-profit businesses:

  1. Businesses with a gross annual revenue of $25 million or more;
  2. Businesses that buy, receive or sell personal information of 50,000 California household residents or devices. This figure will soon change to 100,000 California household residents or devices; and
  3. Businesses that derive 50% or more of annual revenue from selling consumers’ personal information.

Who Is Covered by the CCPA?

As defined in the law, a “consumer” means a California resident. Businesses crafting a CCPA policy should be very clear that its policies apply only to California residents, Hoffman stresses. Otherwise, if a policy is written too broadly, the business could find itself in a bind if the policy expresses the business is willing to apply these rights to people even outside of California.

Any type of information can be covered under the CCPA, such as personalized information or anything that identifies or could be linked to a consumer or their household, she says. This includes things like names, birth dates, and Social Security numbers.

Starting January 1, 2023, the law will also apply to business-to-business information. So, if you are a smaller company that is doing business with a company covered by the California Privacy Rights Act (CPRA), Hoffman recommends you familiarize yourself with the CCPA because it will affect you soon.

CCPA Was Never Intended to Apply to Employees

The CCPA was never intended to apply to employees, and the legislators who wrote the law were very clear that that was never the intent, Hoffman says.

“But what happened was, when they were doing some cleanup, there was some concern from folks, that ‘consumer’ was written so broadly, that it could include employees,” she says.

In response, an amendment was written to exclude employees and business-to-business transactions. When the bill was going through the Legislature, however, some groups wanted to force a discussion on worker privacy, and so a sunset was put in to force business, labor and attorney groups to come to the table and talk about worker privacy, Hoffman explains.

Shortly after, the COVID-19 pandemic hit and the sunset was extended to January 1, 2023 thanks to Proposition 24.

Because no bill was formally passed to extend the current sunset this year, absent another bill or executive order, the employee and business-to-business exemption will expire on January 1, 2023, but enforcement will not begin until July 1, 2023.

What Employers Should Begin Doing

Employers should consult with their legal counsel to determine how the CCPA will affect their business and to ensure that proper policies are created, Hoffman says. Employers will need to know how to treat employee data, what data to collect and how long to retain the data. Employers also need to evaluate what other laws exist that have certain retention requirements.

Employers will need to disclose to employees what data is being retained, and establish a system to manage requests protected under the law, such as rights to accessing information, a right to correct, etc.

There also is a right to delete, which can be extremely concerning in the employment context, especially when one considers a situation where an employee is engaging in discriminatory or harassing behavior, and they may want to try and cover that up. Hoffman stresses that employers should learn about any exemptions that apply, such as an exemption for legal claims, or things like that. While employers should ensure there is a system in place for employees who seek to exercise their rights, employers also should know what the bounds of those rights are to ensure the integrity of key documents in a workplace investigation.