California AB 25 Passes Both Houses – Employee Information Is Excluded from the CCPA …Until 2021

September 17, 2019Alerts

With the effective date of the CCPA quickly approaching, industry backed bills have been heavily debated by the California legislature. Many proposed bills were abandoned, but some managed to survive and move forward. One of the bills that survived – AB 25 – now awaits the governor’s signature. The governor has until October 13 to sign the bill.

AB 25 excludes from the CCPA information collected about a person by a business while the person is acting as an applicant, employee, owner or contractor, to the extent the information was collected and used solely in the employment context. The amendment also excludes emergency contact information and information collected and maintained for the business to administer benefits.

But not so fast. This exclusion gives California businesses a temporary reprieve that lasts only until 2021, giving employers an additional year to come into compliance with the CCPA, and the legislature time to consider whether to extend the exception, or make it permanent.

It remains to be determined whether information collected from the employee by employer-provided technology, such as phones or laptops, falls under the scope of AB 25. While the information is collected by the employer, it may not be collected solely for the purposes of that person’s role in the employment context, and may still come under the CCPA. Also left undetermined is the impact on third party vendors who receive information from California employers in the employment context, such as payroll vendors or companies that handle employee leave requests.

There are reports that a bill will be introduced to exclude employee information beyond 2021, but until then, California employers should consider ways to lessen the impact when the law goes into effect and consider mapping the following employee data:

  • applicant or employee onboarding information such as a person’s Social Security number, driver’s license number, address, phone number and email address;
  • biometric information collected during the interview process and employment;
  • financial information used for direct deposit and other payroll functions;
  • information collected in the context of employee medical leave or leave pursuant to the Americans with Disabilities Act; and
  • employee online activity information such as browsing history, search history, or any other information reflecting user interaction with the internet captured by employer-provided technology.

California employers should consider the following ways to streamline information received from applicants and employees:

  • Map the Information Collected. Sift through the relevant data maintained and understand how applicant and employee data are collected and stored once received by human resources personnel and third-party vendors. Consider vendor-facing policies that require compliance with the CCPA. Consider how personal information is stored and for how long. Consider the protections applied to this information throughout the supply chain.
  • Consider Consumer Rights under the CCPA. Consider mechanisms for handling data portability and access and deletion requests.

In summary, while AB 25 affords businesses an extra year to come into compliance with the CCPA, they should consider now how the impact of 2021 will affect their practices and get a solid grasp on the progression of their employee data from onboarding to destruction.

Ciera Logan is an attorney in Fox Rothschild’s Privacy & Data Security Practice. She can be reached at [email protected].