Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) originally came into effect on January 1st, 2020, only a year and a half after it was passed.
Since it’s passing the CCPA has received multiple amendments, the most notable of which being The California Privacy Rights and Enforcement Act of 2020 (CPRA). In this article I will outline the key takeaways that employers need to know if they wish to monitor employees in the workplace while maintaining compliance with the CPRA and CCPA.
This article is intended for informational purposes only and is not a replacement for consultation with a lawyer
Free White Paper
Employee Monitoring: Best Practices for Balancing Productivity, Security, and Privacy
In today's privacy-conscious world employers need to monitor employees in a way that is transparent, minimally invasive, and respectful of employee privacy. Read this white paper to learn the best practices for monitoring employees in the workplace.
JANUARY 2021 UPDATE
When the CCPA was originally implemented its scope was focused on bolstering the data privacy rights of California consumers. Over time there have been several amendments to the CCPA to refine how these protections should be extended in the context of B2B and employee-employer relationships. One of these amendments was Assembly Bill 25 (AB25), which was passed on September 13, 2019 and signed into law on October 11, 2019.
When AB25 was passed it provided employers with a moratorium on complying with CCPA with regards to information collected by them “in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.”
A significant portion that AB25 did not amend was requirements for employers to implement reasonable security measures to safeguard employee data and disclosures regarding the categories of personal information they collected about employees and job applicants, as well as the purpose of collection.
The exemptions stipulated by AB25 were originally set to expire on January 1st, 2021, however further amendments from the The California Privacy Rights Act of 2020 (CPRA) have since extended this date to January 1st, 2023. It is believed that extended employee and business-to-business (B2B) exemption is intended to provide opportunities for future legislation to be passed that directly governs employee data in an employee-employer relationship.
Generally speaking, employers are allowed to use employee and computer monitoring software to monitor company-owned devices so long as there are legitimate business reasons for capturing the data.
The CPRA will still allow for the monitoring of employee computer activity, however employees will be provided with additional rights regarding that data. When the CPRA becomes fully operational on January 1st, 2023 employees will be granted the same protections from their employers that were guaranteed to consumers under the CCPA.
While the CPRA will not become operational until January 1, 2023 and enforcement will not begin until July 1, 2023, its regulations will apply to data collected since January 1, 2022. Employers that are subject to this law must be prepared to adjust how they collect, use, store, and protect employee monitoring data (such as website browsing activity).
The CPRA will provide employees with the right to access, delete, or opt-out of the sale of their personal information, including data collected by employee monitoring software. Employers that collect employee computer activity data must develop systems that allow the deletion of this data on the request of their employees. Their employees will also be granted the right to know where, when, and why their employees are using their personally identifiable data.
Here’s what businesses can do to remain CPRA compliant when monitoring employees in the workplace:
Free Sample Template:
Employee Internet Usage Policy
Download this FREE acceptable use policy, customize it,
and distribute it to your employees to set a precedent for the acceptable use of the internet in the workplace.
Even if your company isn’t based in California or employing workers in California, the data privacy revolution is well under way. To best prepare for business continuity you should operate under the assumption that legislation that is substantially similar to GDPR, CCPA, and CPRA will impact your business in the future. Implementing measures that allow you to monitor employees while respecting data privacy legislation now will allow you to adjust to future data privacy laws with greater ease.
For more information regarding the differences between the CCPA and the CPRA, visit this article by Manatt.
This section is current as of December 20, 2019.
Note: As of July 1st, 2020 the California Consumer Privacy Act (CCPA) is now being enforced.
A new decade is upon us, and with it comes a continuation in the rapid evolution of data privacy laws and regulations. Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) will come into effect on January 1st, 2020, only a year and a half after it was passed.
While amendments to the CCPA are expected to occur after it has passed, companies will still need to be prepared to comply with this new legislation as soon as it comes into effect, with the enforcement of the CCPA starting either six months after the final regulations are published or July 1, 2020, whichever occurs first. With so little time to prepare, we hope that this article gives your business the overview it needs to understand the next steps needed to meet your CCPA compliance needs.
In 1972, California voters amended the California Constitution to include privacy among the inalienable rights of the people. The intention of the CCPA is to continue protecting the right to privacy of Californians by granting them the right to access, delete, and opt-out of the sale of their personal information.
Under CCPA, consumers are granted the right to request:
Under CCPA, consumers are to be granted to right to request the deletion of their personal data. Once the request is verified as legitimate, businesses will be required to comply with the request within 45 days, with a once-per-customer extension of 45-days permitted to businesses that reasonably require an extension and notify the customer within the initial 45-day period.
Under CCPA, consumers will be granted the option to request that the sale of their personal information by a business be disallowed. Should a consumer exercise this right, businesses are not permitted to discriminate against the consumer.
Examples of discrimination disallowed by the bill include charging a different price and providing a different quality of goods or services to consumers that exercise their right to opt-out of the sale of their personal data. The CCPA gives an exception to the alteration of quality/price under circumstances where “the difference is reasonably related to value provided by the consumer’s data.” CCPA would also grant businesses the option to offer financial incentives for the collection of personal information.
For consumers under 16, the CCPA requires that the sale of their personal information be prohibited unless “affirmatively authorized”, meaning that consumers younger than 16 years of age must “opt-in” to the sale of their personal information by providing explicit permission.
At its most basic level, the definition of “personal information” under CCPA refers to any information that can be plausibly linked to a specific household or individual consumer, such as but not limited to:
Under CCPA, inferences made using collected data is also protected. This is of special consideration for marketers or other industries creating demographic and consumer behavior profiles.
“Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” – Assembly Bill No. 375, Chapter 55, Section 1798.140(K)
It is important to note that according to the CCPA, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. For a detailed list of what is considered personal information under CCPA, refer to section 1798.140 of Assembly Bill No. 375
The CCPA can potentially apply to any for-profit business or associated entity in California, whether or not they physically reside in California, so long as that business collects and controls the processing of a consumer’s personal information while also meeting ANY of the below criteria:
The act of “selling” personal data is not exclusive to monetary transactions. According to the bill, the exchange (“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”) of personal information in return for “valuable consideration” will also be considered as selling under the CCPA.
While the definition of “valuable consideration” is not explicitly defined in the bill, the California Legislative Information website has previously defined a “consideration” as “any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.”
The potential penalties for businesses failing to maintain their CCPA compliance requirements will be significant, with violations of the CCPA incurring fines of up to $7,500 per violation. Under the CCPA, data breaches will also be considered the responsibility of the company, with fines of up to $750 per consumer affected in each breach.
With consumer privacy regulations expected to take center-stage in the coming decade, businesses that are not directly affected by the California Consumer Privacy Act should still ensure that they are in the best position possible to adapt to future privacy regulations. Legislation such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Europe’s General Data Protection Regulation (GDPR), and Nevada’s Senate Bill 220, along with various other local privacy and data legislation, are going to continue to influence how businesses are expected to operate.
If you would like to see the entire unedited assembly bill detailing the CCPA, visit the link below:
Full text of AB375, Title 1.81.5,” The California Consumer Privacy Act of 2018, CCPA” : https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375