The CCPA and Employee Monitoring Laws: What Employers Must Know

You’ve heard of the GDPR, or General Data Protection Regulation, the data protection and privacy law passed in the European Union. Even many United States-based companies have had to understand the GDPR and how it applies to them if they have offices or employees overseas. 

In 2018, the CCPA or California Consumer Privacy Act was passed in California. This law has been referred to as the GDPR-lite, and it covers some of the same territories as the GDPR. And although it’s a California law, it also has the potential to affect businesses and organizations all around the country. If you’re an employer, you need to understand who is affected by the CCPA and how to comply with it. 

Who Has to Comply With the CCPA?

Are you informed about how the new law will affect your company?

Not every business will be affected by the CCPA, including some located in California. The Act sets out specific categories for businesses that will be affected by the law. The first step toward determining whether or not you need to comply with the CCPA is determining whether your organization falls into one of those categories. 

Businesses that that must follow the CCPA fall into at least one of the following categories:

• The business has a gross annual revenue of $25 million or more
• The business earns 50% or more of their annual revenues from selling consumers’ personal information.
• The business buys, sells, or receives the personal information of 50,000 or more consumers, households or devices.

Remember that you don’t need to fall into all of the categories to be affected by the CCPA. If your business falls into any one of these categories, then it’s subject to the law. 

Exceptions for Background Checks

You may have heard confusing reports about whether compliance requirements for the CCPA extended to background checks. Originally, background check data was included in the scope of coverage outlined by the CCPA. However, the act was later amended to exempt activities that are authorized by the federal Fair Credit Reporting Act.

An example of an activity authorized by the Fair Credit Reporting Act is a background check that is done by a consumer reporting agency, at the request of an employer, in accordance with the Fair Credit Reporting Act. This exemption was added because the Fair Credit Reporting Act already works to meet the same goals as the CCPA was designed to meet. If your background check practices are in line with the Fair Credit Reporting Act, you should be in line with the CCPA as well. 

There are various other exemptions as well – for instance, entities that are bound by HIPAA laws are exempt from the CCPA with respect to patient information covered by HIPAA, but that doesn’t mean that healthcare organizations are fully exempt from the CCPA – their employee data and data on job applicants is still subject to the CCPA.

What Do You Need to Do to Comply?

The CCPA gives employers more control over their own data.

Knowing that your background checks are exempted from the law may help you breathe a little bit easier, but that doesn’t mean that there aren’t still things that you need to do in order to make sure that you’re in compliance. 

One requirement of the CCPA is that your organization needs to take reasonable security measures to protect data. Remember, news about high-profile data breaches that exposed the personal information of many consumers was the impetus for this law. Lawmakers are trying to help protect consumers from similar future breaches that may be avoidable if organizations took reasonable steps to prevent them. 

Under the CCPA, California residents are allowed to seek between $100 to $750 per incident in damages when a breach occurs and sensitive information is stolen when the company could have taken steps that would have prevented the breach. 

Another requirement involves letting employees know what personal information of theirs will be gathered and how that information will be used. Employers can do this in the form of a privacy policy that employees should receive either at the point of information collection or before the information is to be collected. 

For the purposes of compliance, it’s important to understand that the words “personal information” refer to any information that identifies, describes, or can be associated with, or directly or indirectly linked to a specific household or consumer. 

Finally, there’s the access and deletion requirement. Essentially, this just means that employees have the right to access their own personal information that’s been collected by the company and delete that information if they choose to do so, without fear of retaliation by the employer. 

Furthermore, workers also have the right to know if their personal information is being disclosed or sold to third parties, and to opt-out of that disclosure if they choose to. Employers are temporarily exempted from this requirement, but unless things change, they’ll need to be in compliance by January 1st, 2021.

Best Practices for Preparing for the CCPA

If your company has offices or employees in California, you need to begin taking steps to ensure that your company is in compliance with the CCPA. Some of the best practices for preparing for the CCPA include:

• Take steps to secure employee data – start by looking into the security measures identified in the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.
• Draft privacy policy notifications and make a plan to ensure that employees get them at or before the point of data collection.
• Establish a system for employees to access and delete personal data.
• Talk to your third-party vendors – they’ll need to comply with the new laws with respect to your employees as well. Make sure they’re ready to do so or find vendors who are ready.

Don’t forget your independent contractors. California’s laws about independent contractors have recently changed, so you’ll want to make sure that any contractors your company uses are classified correctly and receive the privacy protections that they’re entitled to.

Even if your company isn’t based in California or employing workers in California, similar bills may be in the pipeline in other states, so it’s worth considering how you’ll comply with similar laws if they come your way.