California employers collectively breathed a sigh of relief when the state legislature delayed most of the California Consumer Privacy Act’s (CCPA) application to them until 2021. However, there’s not much time to relax: two significant CCPA provisions took effect in 2020, and the legislature is expected to pass an employer-specific data privacy law this year.
To ensure compliance with the provisions taking effect this year, and prepare for what may be coming next year, covered employers should consider taking the following steps now:
- Assess the “personal information” collected from employees and how it is used. The CCPA defines this term broadly, and it likely encompasses more categories of information than most would think. For example, “personal information” may include any of the following items which are commonly collected from employees: photographs or recordings; internet or computer activity records; emergency contact information; employment history; bank account numbers; biometric data; contact information; Social Security numbers; education history; internal survey responses; insurance information, and other information concerning workers’ activities or performance. Covered employers should take stock of the full range of information they are collecting, and examine how that information is stored, how it is used, and who has access to it.
- Review online and hard-copy forms used to collect personal information. The CCPA requires covered employers to notify consumers, at or before the point of collection, of the purposes for which their information is being collected and how it will be used. To ensure compliance, employers should review all mechanisms used for collecting personal information from applicants, employees, contractors, or other personnel, and consider updating those forms to include the requisite notice.
- Consider developing a general privacy notice. Alternatively, instead of updating each form individually, covered employers may wish to develop a general privacy notice given to all applicants, employees, contractors, or other personnel which notifies them of the categories of data which will be collected from them during their employment, and how that data will be used.
- Review and update internal policies and training. Covered employers should ensure that employees are aware of their obligations to maintain the confidentiality of personal information, and that employees know not to repurpose already-collected personal information for a previously undisclosed purpose. For example, an employer could not publish an employee’s name and security badge photo on its website unless the employee was notified that his or her photo might be used for such a purpose. Similarly, an employer could not share employees’ computer browsing data with a third-party analytics company unless the employees had been notified that such data was being collected and might be used for that purpose. Employees with access to others’ personal information should know the purposes for which they are authorized – and not authorized – to use that information.
- Assess and update information security policies and protocols. The CCPA has already established employer liability for certain security breaches involving personal information. Employers should take steps to review their information security policies and protocols to reduce the risk of a security breach concerning the personal information of their personnel.
Although California’s legislature gave employers a slight reprieve from most aspects of the CCPA, new privacy laws and regulations are likely just around the corner. Taking these steps and precautions now will help ensure that covered employers are prepared for the next wave of privacy legislation.