CCPA Update – The Latest on the Employee Exemption Amendment
On July 9, 2019, the California Senate Judiciary Committee passed Assembly Bill 25, but only after changes were made to the version in an attempt to overcome opposition to the bill by labor groups was the bill passed unanimously by the California Assembly. During a Committee hearing, the bill’s author agreed to amend AB 25 so that certain disclosure obligations set forth in Section 1798.100(b) of the California Consumer Privacy Act (“CCPA”) and the law’s private right of action for data breaches set forth in Section 1798.150 would apply to all California residents, including in the employment context.
The version of the bill passed by the Senate Judiciary Committee uses clearer language to explicitly exempt any personal information that a business collects about a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.
Recall that the CCPA grants consumers the right to access, delete, or opt out of the sale of their personal information collected by a covered business. AB 25 provides an exemption for employers who might receive access, deletion, or opt-out requests from their employees. AB 25 would exempt from the CCPA’s application “[p]ersonal information collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” if the personal information is collected and used by the business solely within the context of the person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
If AB 25 is enacted in its revised form, a covered business would be required to inform its employees, job applicants, and other enumerated individuals performing roles within the business’s employment context as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. That notice would need to be provided at or before the point of collection, and the business would be prohibited from collecting additional personal information or using personal information for additional purposes without first providing notice of such additional collection or use. The CCPA’s other requirements, however, would not apply to these exempted categories of individuals, including the rights made available to consumers under the CCPA.
Importantly, the new exemption language will not apply to the CCPA’s rules on data breaches. An employer could still be on the hook for statutory or actual damages per data incident impacting the company’s current or former employees and job applicants.
Grayson J. Derrick
Chair, Technology and Intellectual Property Section