Employee privacy under the California Consumer Privacy Act

When California enacted the California Consumer Privacy Act of 2018 this past summer, much of the ensuing discussion concerned how the regulation would impact businesses that collect and use extensive amounts of consumer data, such as retailers. This focus makes sense in light of the name of the act, and in light of the context in which it was enacted: namely, to head off a ballot initiative sponsored by Californians for Consumer Privacy. Not to mention that the CCPA was enacted just a few months after the European Union's consumer-privacy-focused General Data Protection Regulation went into effect.

But unlike many other consumer rights statutes, the CCPA is not limited to consumers at all. The statute defines the term "consumer" to mean "a natural person who is a California resident." California Civil Code Section 1798.140(g). So defined, "consumers" under the CCPA means just about everyone -- including employees who reside in California. The CCPA's provisions apply to any business with gross revenues in excess of $25 million that collects consumer information and does business in California. Meaning that any business with more than $25 million in revenues that collects information about its employees -- which surely any such business does -- is subject to the CCPA.

The CCPA does contain a limited exception for using personal information when necessary to carry out a business's operations, but this likely does not cover employee information. Rather, this exception is directed to "short-term, transient use" such as completing a transaction or debugging a security system. See id. Section 1798.140(d).

Thus the CCPA as written makes no distinction between employee information and consumer information. This creates some immediate problems. For example, under the CCPA, a consumer can at any time request that a business "delete any personal information about the consumer which the business has collected from the consumer." Id. Section 1798.105(a). If the CCPA applies with full force to employees, which it appears to do, this provision also entitles employees to command their employers to delete all their personal information. The CCPA defines personal information very broadly, including "[p]rofessional or employment-related information." Id. Section 1798.140(o)(1)(I). So under the CCPA, an employee can request deletion of their entire personnel folder, and the CCPA specifically obligates the employee to do just that.

It may be unlikely that employees will instruct their employers to delete personnel files. And there is nothing in the CCPA that would prevent an employer from terminating an employee who makes such a request. (There is a non-discrimination provision, Section 1798.125, but this only precludes businesses from charging customers differently based on whether or not they agree to share their personal information, and does not require companies to employ those who will not share their information.) But the CCPA contains numerous provisions that could easily be onerous for employers to follow with respect to their employees. For example, the CCPA requires certain disclosures to be made before personal information is collected -- does this mean before an employee sends an email if the company stores the emails on its server? See id. Section 1798.100. If an employer uses third-party service provider to process payroll, that service provider will have to certify that it is compliant with the CCPA. See id. Section 1798.140(v). And if a company wants to analyze employee data to evaluate employee performance, that will have to be done in accordance with the CCPA's extensive provisions regarding the use of aggregated data. See id. Section 1798.140.

The CCPA will not go into effect for another year, and the California attorney general has six months after that to finalize the implementing regulations. Meaning there is still time for the scope of the CCPA and its applicability to employees to be clarified. However, there are two good reasons to believe that the CCPA will ultimately be applicable to employees to at least some extent.

First, while the latest and most high-profile data breach cases have involved consumer information, employees have also been targeted by identity theft rings. For example, in Sapient Corp. v. John Does 1-50, 3:18-cv-01681-WHO (N.D. Cal.), scammers used information from real employees of Sapient to post fake job listings, interview applicants, and steal their identities. Sapient was able to obtain an injunction, but similar scams are likely still in operation. Indeed, the extensive information employers maintain about their employees can leave employees at especially high risk in the event of a breach.

Second, some states have already enacted employee-specific privacy statutes. Illinois was one of the first, when in enacted the Illinois Biometric Privacy Act in 2008, and then the Right to Privacy in the Workplace Act in 2013. Illinois's Biometric Privacy Act requires affirmative consent for the use of biometric information, which many employers now collect as a matter of course. And the Right to Privacy in the Workplace Act makes it illegal for an employer to require an employee to grant it access to the employee's social media accounts, or to force the employee to "like" or "friend" the employer. See 820 ILCS 55/10(b).

California has its own version of Illinois's employee social media law, see California Labor Code Section 980, and the CCPA expressly includes biometric information as protected personal information. Plainly, employee data privacy laws are here to stay. Employers need to think carefully about what employee information they collect, what they use it for, and how they secure it. Otherwise, under the terms of the CCPA, each of their employees could have a claim for up to $750 -- or up to $7,500 if the attorney general gets involved. Precisely the sort of bonus scheme employers try to avoid.