On February 10th, the California Attorney General’s Office published revised proposed regulations to implement the California Consumer Privacy Act (CCPA). The revised proposed regulations make a number of changes to the proposed regulations initially published by the Attorney General’s Office for public comment in October 2019. The proposed revisions include new content intended to address the application of the CCPA to what the proposed regulations refer to as “employment-related information” about individuals that are California residents, a topic which was not addressed in the original proposal. While the proposed regulations use the term “employment-related information,” as further discussed below, the provisions reach information about not only “employees” but also certain other specified groups, including contractors, owners, directors, medical staff, and officers.
Statutory Amendments. The provisions in the proposed regulations addressing employment-related information, which have not yet been finalized, are necessary to address amendments to the CCPA that were signed into law by Governor Gavin Newsome in October 2019, about the same time the initial proposed regulations were issued. The legislation sought to address uncertainty about whether employment-related information was subject to CCPA protections.
The October CCPA statutory amendments pertaining to employment-related information expressly address certain categories of personal information that is collected by a business about California residents “acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” Cal. Civ. Code 1798.145(h)(1). The terms contractor, director, medical staff member, officer, and owner all are CCPA defined terms. Cal. Civ. Code 1798.145(h)(2). The provisions apply to:
The legislation provides that such information is subject to CCPA, while deferring application of most—but not all—CCPA requirements for this information until January 2021. Two CCPA provisions, however, did become effective January 1, 2020:
The Proposed Regulations. The Proposed Regulations largely track October’s legislative changes with respect to employment-related information. The proposed regulations, however, add a proposed definition of “employee benefits”, which would be defined to mean “retirement, health, and other benefit programs, services, or products to which consumers or their beneficiaries receive access through the consumer’s employer.”
The Proposed Regulations also provide that businesses collecting employment-related information must provide notice in compliance with the regulations notice provisions (Section 999.305) except that:
Other Exemptions. The amendments do not affect provisions of the CCPA which exempt certain information from CCPA coverage, including the use of consumer reports, regulated by the Fair Credit Reporting Act, cases where a business’s health plan is subject to the Health Insurance Portability and Accountability Act, or the use of certain information subject to the Driver’s Privacy Protection Act.
Businesses should consider the extent to which they may have notice obligations under the proposed regulations with respect to employment-related information, recognizing that there may be additional changes to the proposed regulations as a result of public comments on the new proposal. In addition, while the data breach liability provision does not create new data security obligations, this also may be an opportune time to review data security programs for compliance with existing California data security obligations.
Supported By WordPress Database Support Services