New Jersey’s Data Breach Notification Amendment Signed into Law

On May 10, Governor Phil Murphy signed into law P.L.2019, c.95. an amendment enhancing New Jersey’s data breach notification law by expanding the definition of personal information, and updating notification requirements. As we previously reported, the amendment was unanimously approved by the New Jersey General Assembly and Senate in late February.

New Jersey’s data breach notification law requires businesses to notify consumers of a breach of their personal information. Previously the law defined personal information as an individual’s first name or first initial and last name linked with any one or more of the following data elements:

  • Social Security number;
  • driver’s license number or State identification card number;
  • account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The new law adds to the above list of data elements:

  • user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.

In addition, notification requirements are different for these added data elements. Under the amendment, businesses or public entities experiencing a breach involving a user name or password, in combination with any password or security question and answer that would permit access to an online account, and no other personal information, may notify affected consumers via electronic or other form that directs the customer whose personal information has been breached to promptly change any password and security question or answer, as applicable, or to take other appropriate steps to protect the online account with the businesses or public entities and all other online accounts for which the customer uses the same user name. Further, for breaches involving an email account, a business or public entity shall not provide notice of the breach via the compromised email account. Instead, notice shall be provided by one of the other methods described in the law, OR by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an IP address or online location from which the business or public entity knows the customer customarily accesses the account.

New Jersey has now become at least the 10th state to update its data breach notification law to specifically address online breaches. The new law will take effect September 1, 2019.

California’s “Your Data, Your Way” Initiative

Image result for alexa recordingCalifornia keeps making privacy headlines for its trailblazing California Consumer Privacy Act (“CCPA”), set to take effect January 1, 2020, but there is another set of privacy bills making its way through the California state legislature, that, if passed, will provide consumers with further privacy protections.

The “Your Data Your Way” initiative, comprised of four legislative bills and a non-binding resolution, is a privacy plan introduced by several Republican Assembly members in January on National Privacy Day, that has passed California’s Committee on Privacy and Consumer Protection (“the Committee”), and is now headed to the Assembly for a potential vote, followed by the Senate. Each bill has already been revised to some extent during the Committee process, and will likely experience further revisions along the way.

Below are some highlights from the four “Your Data, Your Way” initiative bills:

  • AB 1035 An amendment to California’s data breach notification bill, sponsored by Assemblyman Chad Mayes, would require covered businesses to notify affected individuals of a data breach within 45 days of discovery of the breach. The bill originally included a 72-hour data breach notification requirement, similar to the GDPR, but this was revised during the Committee process.
  • AB 1395 Virtual assistants, such as Alexa, have raised concerns about unintended recording of conversations and utterances by users. Sponsored by Assemblyman Jordan Cunningham, this bill would limit data collection conducted by tech companies via these devices. Specifically, the bill includes a prohibition on data storage and marketing of recorded voice commands without prior consumer consent.
  • AB 288 Another bill sponsored by Assemblyman Cunningham on social media privacy, would allow “social networking service” users that close their account the option to have their personally identifiable information (PII) permanently removed from the company’s database and would prohibit the company from selling this PII to, or exchanging the PII with a third-party, subject to a few exceptions.
  • AB 1138 Assemblyman James Gallagher’s bill, AB 1138 would require social media websites and apps to obtain parental consent before creating the account of a child under the age of 13. This builds on California’s Parent’s Accountability and Child Protection Act (AB 2511), which becomes effective on January 1, 2020. AB 2511 requires a person or business conducting business in California and that seeks to sell certain products or services to take reasonable steps, as specified, to ensure that the purchaser is of legal age at the time of purchase or delivery, including, but not limited to, verifying the age of the purchaser.

In addition, as part of the “Your Data, Your Way” initiative, a non-binding resolution entitled “21st Century Monopolies” was introduced, calling on the Federal Trade Commission (FTC) and Congress to update the federal anti-trust laws in order to more effectively protect consumers.

As recently touched on by Charlie Warzel in an opinion piece entitled, “We are Drowning in Data” in the newly established New York Times Privacy Project, we still cannot fathom the extent to which technology will cause an expansion in the already exorbitant amount of ways our personal data is collected. Innovation continues to outpace technology, but California is certainly trying to keep up!

High-end Job Recruitment Site Exposes at least 13.7 million Users with Unprotected Server

A security lapse has exposed the data of at least 13.7 million user records of the high-end job recruitment site, Ladders. The company left a cloud-hosted search database exposed without a password. Ladders took the database offline less than an hour after the news website TechCrunch alerted the company after learning about the potential breach from a security researcher, Sanyam Jain.

Each record included names, email addresses, addresses, phone numbers, their employment histories and even exact geolocation based off of individual IP addresses. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.

A data leak of information such as social security numbers, phone numbers, credit history or other more sensitive information “would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards,” according to Bob Diachenko, online publisher for TechCrunch. In contrast, most of the information affected in the Ladders’ data leak, while personal and sensitive, does not amount to personally identifiable information which could be used for identity theft.

Additionally, an important distinction should be made between data leaks and data breaches: data leaks are usually incidents in which data was unintentionally made public as the result of an accident or misapplication of a system’s features, however the data has not actively been accessed or exfiltrated; data breaches are incidents involving active threats which compromise a database.

The recent abundance of high-profile data leaks as of late emphasize the need for organizations today to be proactive rather than reactive. The legal landscape of the data privacy world also reflects this approach. For example, the General Data Protection Regulation (GDPR) enforces a “Privacy by Design” system, which requires any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. Similarly the much anticipated California Consumer Privacy Act, requires a business to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”, and similar frameworks are mandates in other states such as Colorado, Massachusetts and Oregon.

This wave of data leaks/breaches, combined with the growing public awareness of data privacy right and concerns, and legislative activity in the area, makes the development of a meaningful data protection program an essential component of business operations.

Will Texas Soon Join the Ranks of States Enacting Privacy Legislation?

Texans like the adage “Everything is Bigger in Texas”. So, as the Lone Star State follows its counterparts and the federal government in discussing broad sweeping privacy protections, legislators introduced two (competing) privacy bills this session: the Texas Consumer Privacy Act and the Texas Privacy Protection Act.

Readers should note that the 2019 Texas Legislative Session is set to end on May 27, 2019, although a special session may be called to address items not resolved during the regular session. If privacy legislation is not passed, state lawmakers would not consider it again until 2021, as the legislature only meets every other year, for 140 days. If either of the bills were to pass this session, the effective date could be as early as September 2020.

Even if neither bill passes this session, which is likely the case given the legislative hurdles that must happen within the limited timeframe, privacy as an issue is not going away in Texas (or anywhere else for that matter). And, given that Texas is the second largest economy in the U.S., any privacy legislation will have a big impact. The current prediction is that Texas will take a back seat to watch how California enacts the CCPA, and (hopefully) learn from some of its pain points in order to adopt legislation in 2020.

Nevertheless, below is an overview of the two pending bills in their current form.

Texas Consumer Privacy Act (“TXCPA”)

The TXCPA is similar to the California Consumer Protection Act (“CCPA”). It provides Texas consumers with rights to:

  • Know what information is being collected, distributed and sold about them;
  • Opt-out of sales of their information, including a requirement that businesses include a “Do Not Sell My Information” link on their website; and
  • Request that their information be deleted.

The TXCPA would also require businesses subject to the act to:

  • Provide notification of categories of personal information collected and how each category would be used;
  • Provide an online privacy policy or notice; and
  • Provide methods for consumers to submit data requests and disclose certain information in response to such requests.

It also borrows concepts from the EU GDPR around transparency and notice.

Similar to the CCPA, there are questions about how the bill would define a consumer and whether it would be applied to employees. Like the CCPA, the TXCPA also provides rights to households, but this is currently not well defined. The TXCPA does not establish a business duty to implement and maintain security procedures, nor does it allow a private cause of action for consumers in the event of a breach. The Texas Attorney General would enforce violations, set at an amount up to $2,500 per violation (and $7,500 for intentional violations).

In its current form, the TXCPA would only apply to certain businesses, including those that collect consumer personal information. These types of businesses would also have to meet certain thresholds.

Texas Privacy Protection Act (HB 4390)

The TXPPA distinguishes itself from the TXCPA with applicability and its level of detail. It also does not provide the same consumer rights as the TXCPA. For the TXPPA to apply, a business must be:

  • Doing business in Texas
  • Have more than 50 employees
  • Collect personally identifiable information (“PII”) of more than 5,000 individuals, households or devices (or have this information collected on its behalf); this only applies to the collection of PII over the Internet or digital network, or through a computing device that is associated with a specific end user. This requirement is not only to “Texas residents” meaning an Internet business with only a handful of customers in Texas, but numerous customers elsewhere, may be subject to the law.
  • And either:
    • Have an annual gross revenue of more than $25 million; or
    • Derive 50% of more of its annual revenue from the processing of PII.

The traditional PII categories, like social security number, driver’s license number, credit card or financial account information, etc. are expanded under the TXPPA to include biometric information, religious affiliation, racial or ethnic origin information, unique genetic information, physical or mental health information, precise geolocation data and the private communications or other user-created content of an individual that is not publicly available.

The TXPPA requires the explicit permission from the individual from whom the information pertains, unless processing is required by law. A business may only process PII if it is relevant to accomplish the purpose for which it is to be processed, and this must be specified by notice prior to the collection. Processing also may not violate state or federal law or infringe on an individuals’ Constitutional rights or privileges. The TXPPA also gives individuals the right to access their PII and the right to be forgotten.

TXPPA requires impacted businesses to establish and maintain a comprehensive security program that contains safeguards for PII, although there is not a lot of guidance in the current bill on this. Like the TXCPA, there is no private cause of action for a breach of duty to protect PII. Businesses would also be liable when a service provider mishandles their data.

Also like the TXCPA, the Texas Attorney General may bring an action and recover civil penalties, but they are higher under the TXPPA – up to $10,000 per violation, not to exceed a total of $1 million.

Either bill, if passed into law, would keep Texas in line with other states currently enhancing their privacy and security laws to keep up with the California Consumer Privacy Act set to take effect January 1, 2020.  Organizations across the United States should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs).


University Settles Claims Involving Use of Retirement Plan Participant Data For Cross-Selling by Recordkeeper

Wrongful use of retirement plan participant data was among the claims made by a class of 40,000 participants against the plan sponsor and others in Cassell et al. v. Vanderbilt University et al. Specifically, the plan participants claimed that the University inter alia breached its “loyalty and prudence” duty by failing to protect confidential employee retirement plan participant information, allowing the plan’s recordkeeper to obtain access to participant’s personal information and to profit from that access.

The parties reached a settlement agreement which included a payment of $14.5 million along with promises to make certain changes in plan administration. Retirement plan sponsors have faced litigation concerning plan administration in a number of areas including investment selection and prudence over plan fees, but the Vanderbilt settlement includes a uniquely heightened focus on protection of data, signaling a trend in this direction.

Recordkeeping, investment of contributions, and other tasks associated with retirement plan administration require access to large amounts of personal information, usually in electronic format. The risks to that are not limited to data breaches. As the Vanderbilt settlement indicates, plan participants have become increasingly aware of the vulnerabilities associated with handling their data, as well as how their data is being used by plan vendors. In addition to monetary compensation, the Vanderbilt settlement stipulates that vendors such as recordkeepers cannot use employee participant data to market or sell products unrelated to the retirement plan to the participants, unless the participants initiate.

The Employee Retirement Income Security Act (“ERISA) is the primary federal statute regulating employee benefit plans, including retirement plans. Currently, there are no express provisions in ERISA that prohibit the use of plan participant data for any particular purpose. However, the plaintiffs in this case relied on ERISA’s long standing fiduciary duty provisions to support their claims concerning plan data:

  • ERISA’s fiduciary duty provisions require plan fiduciaries to discharge their duties with respect to a plan solely in the interest of the participants and beneficiaries and for the exclusive purpose of providing benefits to participants and their beneficiaries. 29 U.S. Code § 1104.
  • ERISA also prohibits plan fiduciaries from engaging in certain prohibited transactions, including transactions between the plan and a party in interest which the fiduciary knows constitutes a direct or indirect transfer to, or use by or for the benefit of a party in interest, of any assets of the plan. 29 U.S.C. §1106(a)(1).

It will be interesting to see if these kinds of claims take hold, after all, this is only a settlement and not a decision in federal court. One of the issues courts will have to wrestle with is whether plan data constitutes a plan asset.

But for now, plan sponsors should be thinking about their relationships with plan third party service providers. According to the DOL, ERISA requires plan fiduciaries to “obtain and carefully consider” the services to be provided by plan service providers before engaging the provider. Whether that duty extends to assessing the provider’s data privacy and security practices is not clear. But, in light of this settlement, plan sponsors should be asking themselves some basic questions including, who has access to participants’ data? How much (and what) data does the provider have access to, and what are they doing with that data? Is the service provider sharing data with other third parties?

Of course, depending on the bargaining power of the sponsor, it may not be able to convince a vendor to agree not to use participant data solely for plan administration purposes. At a minimum, sponsors should be sure their process includes these and other factors when making selections.

More Updates to the CCPA May Be Ahead

Ever since the California Consumer Privacy Act (CCPA) was enacted in June of 2018 it has been in a constant state of revision.   First, in September of 2018, Governor Jerry Brown signed into law Senate Bill 1121, which helped clarify and strengthen the original version of law. Then, in February of 2019, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, similarly intended to clarify and strengthen the CCPA with expansion of the consumer’s right to bring a private cause of action and removing certain ambiguous language. During this period, the California Attorney General’s Office also conducted a CCPA rulemaking process with a six-part series of public forums, allowing all interested persons the opportunity to provide their comments on the new law. And finally, earlier this week, the California Assembly of Privacy and Consumer Protection Committee (“Committee”) introduced several bills intended to clarify some of the remaining ambiguities in the CCPA.

We’ve already reported on one of the bills, introduced by Committee Chairman Ed Chau’s AB 25, which the committee unanimously approved. AB 25 modifies the definition of consumer to exclude employees, and contractors (if a written contract is in place). In addition to AB 25, several other bills were approved by the Committee and will now advance to the Senate Judiciary Committee, chaired by Senator Jackson, a major proponent of protection of consumer rights. It is likely that some of these bills will not survive the legislative process, and others will be revised along the way. Below is a list of the Committee approved CCPA amendment bills:

  • AB 846 A bill that updates the clause prohibiting businesses from discriminating against consumers who exercises “opt-out” rights by clarifying that loyalty, rewards, and similar programs are exempt.
  • AB 873 – A bill that helps clarify ambiguities in the definitions of personal and deidentified information.
  • AB 874A bill that updates the public record exemption under the definition of personal information.
  • AB 1146 A bill clarifying a consumer’s right to request that a business delete or not sell the consumer’s personal information, in the context of a motor vehicle warranty or recall information.
  • AB 1355 – An additional bill introduced by Chairman Chau makes technical changes to CCPA drafting flaws.
  • AB 1564 – A bill providing alternatives to the current requirement that a business makes available to consumers a toll-free number to submit requests for information regarding the use of their personal information. Alternatives include an email address and physical address for submitting requests.

The Committee also approved AB 981 which would make significant changes affecting the insurance industry, including changes that would hope to incorporate California’s Insurance Information and Privacy Protection Act (“IIPPA”) to avoid overlap with CCPA, and exempting insurance institutions, agents, and support organizations (insurers) from certain CCPA provisions. Other changes include:

  1. Providing that insurers or insurance transactions subject to the IIPPA shall be exempt from the CCPA. This exemption would not apply to the CCPA’s limited private right of action for data breaches or business activity not subject to the IIPPA.
  2. Defining various terms for the purposes of the IIPPA to mirror the definitions provided in the CCPA, including “consumer” to reflect the definition proposed in the March 25, 2019 version of AB 25, and “personal information” to reflect the definition of that term provided in the CCPA, with the exception of “household,” which is absent from the definition, similar to AB 873.
  3. Requiring insurers to provide certain notices concerning their information practices and privacy policies and procedures, including communications to individuals regarding the right to opt-out of disclosures.
  4. Requiring an insurance institution, agent, or insurance-support organization to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of policyholder information, as specified, and authorize the commissioner to audit an insurance intuition, agent, or support organization’s compliance.
  5. Prohibiting an insurer from “unfairly discriminating,” against an applicant or policyholder because that applicant or policyholder has opted out from the disclosure of nonpublic PI, or did not grant authorization for the disclosure of nonpublic personal medical record information.

In addition, the Senate Judiciary Committee was scheduled in a April 23 hearing to review SB 753, a bill that would have revised the definition of “sell” to exempt situations where a business “pursuant to a written contract, shares, discloses, or otherwise communicates to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer.” The bill would require such a “contract to prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to serve or audit advertisement from the business.” Review of SB 753 was cancelled at the request of Senator Henry Stern, the bill’s author, who faced criticism that the bill would negatively impact the CCPA’s purpose.

We will continue to track and update on the fate of these bills. While it remains unclear which bills will ultimately stick, the CCPA is certain to see additional changes in the upcoming months.

Supreme Court Rules on Employee Data Breach Class Arbitration Suit

In June of 2018 we reported that the U.S. Supreme Court granted a petition for review of a data breach lawsuit addressing the issue of whether parties can pursue class arbitration when the language in the arbitration agreement does not explicitly allow for such, Lamps Plus, Inc. v. Varela , No. 17-988, certiorari granted April 30, 2018. By granting the petition for certiorari, the Court afforded itself the opportunity to clarify its 2010 decision in Stolt-Nielsen v. AnimalFeeds International Corp., 559 U.S. 662 (2010) in which the Court ruled that parties cannot be forced into class arbitration, “unless there is contractual basis for concluding [they] agreed to do so”. The Supreme Court has finally issued its decision, ruling on April 24 2019, that arbitration agreements must explicitly include a class arbitration clause for parties to arbitrate class action claims.

The Supreme Court, in a 5-4 ruling, authored by Chief Justice Roberts, held that the 9th Circuit panel erred in ruling that Lamps Plus, a lighting retailer, must participate in a class arbitration of an employee’s claims when the employment agreement did not state that class arbitration was available. The employee’s claims arise from an incident of identity theft, as the result of a phishing attack, in which a third party impersonating a Lamps Plus employee convinced a fellow Lamps Plus colleague to send copies of W-2 forms for multiple Lamps Plus employees.

The employment agreement between the named plaintiff, Frank Varela, and his employer, Lamps Plus, included an arbitration clause, however it was silent on whether the clause also allowed for class arbitration. The 9th Circuit majority ruling stated that “perhaps the most reasonable” interpretation of that agreement allows for class arbitration. The circuit court analogized how Varela waiving his “right…to file a lawsuit or other civil action or proceeding” and “any right…to resolve employment disputes through trial by judge or jury,” clearly also includes waiving his right to class action lawsuits, even though the agreement does not explicitly state such.

The Supreme Court overturned the 9th Circuit and ruled that Stole-Neilsen does not permit a lower court to make such an “inference” from an ambiguous arbitration agreement. “Under the Federal Arbitration Act, an ambiguous agreement cannot provide the necessary contractual basis for concluding that the parties agreed to submit to class arbitration,” the opinion stated. “Like silence, ambiguity does not provide a sufficient basis to conclude that parties to an arbitration agreement agreed to ‘sacrifice the principal advantage of arbitration.”

In addition, the Court emphasized that the use of class arbitration “undermines the most important benefits” of the individual arbitration process, “lower costs, greater efficiency and speed and the ability to choose expert adjudicators to realize specialized disputes”.

The Supreme Court’s decision in Lamps Plus has significant implications for employers, well beyond the data breach context. This case is considered a “win” for employers, as lower courts will lack the ability to “infer” class arbitration clauses in arbitration agreements. Nonetheless, companies are advised to include unambiguous language in their employment agreements on whether class arbitration is available. For further insight on the Lamps Plus decision, check out our Class Action and Complex Litigation Practice Group’s in-depth commentary on the case, available here.


HIPAA Penalties Change Under HHS Notice of Enforcement Discretion

When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, current HHS regulations apply the same cumulative annual penalty limit across these four categories. Today, the Department of Health and Human Services (HHS) issued a notification of enforcement discretion changing its interpretation of HITECH resulting in a reduction in the amount of the cumulative annual penalty limit for three of the four categories.

What Are The Four Categories Again?

Section 13410(d) of the HITECH Act established four categories for HIPAA violations:

  1. No knowledge. The person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. Reasonable Cause. The violation was due to reasonable cause, and not willful neglect;
  3. Willful Neglect – Corrected. The violation was due to willful neglect that is timely corrected (30 days); and
  4. Willful Neglect – Not Corrected. The violation was due to willful neglect that is not timely corrected.

What Was The Old Range of Penalties?

The range of penalties for the four categories above was as follows:

Category Minimum Penalty Maximum Penalty Annual Limit
No Knowledge $100 $50,000 $1,500,000
Reasonable Cause $1,000 $50,000 $1,500,000
Willful Neglect – Corrected $10,000 $50,000 $1,500,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

What Is The New Range of Penalties?

Commenters noted to HHS that above structure was not consistent with HITECH’s tiered approach to penalties; that is, establishing categories based on culpability. This is because the annual limits were the same for all levels of culpability. Upon further review by HHS’ Office of the General Counsel, HHS has determined that the better reading of HITECH is to apply annual limits as shown below.

Category Minimum Penalty Maximum Penalty Annual Limit
No Knowledge $100 $50,000 $25,000
Reasonable Cause $1,000 $50,000 $100,000
Willful Neglect – Corrected $10,000 $50,000 $250,000
Willful Neglect – Not Corrected $50,000 $50,000 $1,500,000

According to the guidance, while HHS expects to engage in future rulemaking to revise the penalty tiers in the current regulation to better reflect the text of HITECH, these changes are effective until further notice.

Can Hackers Break Into GPS Trackers Used For Your Fleet?

The answer may be yes.

GPS trackers enable businesses to derive greater efficiencies and productivity from their employees and their vehicle fleets. But, when businesses deploy this technology, HR departments often raise valid concerns about employee privacy on and, in some cases, off the job. When employers install GPS trackers on company-owned vehicles, these privacy concerns typically are outweighed by productivity gains, improved safety, and better control over time at work. According to a recent report, however, employers also need to be concerned about the security of their GPS trackers.

I can absolutely make a big traffic problem all over the world

According to Motherboard, a hacker known as L&M claims he has hacked into thousands of iTrack and ProTrack accounts. The reports indicate this activity has been going on in several countries, including South Africa, Morocco, India and the Philippines. iTrack and ProTrack are apps employers use with the GPS trackers to manage their fleets. The most unsettling part of this story is the hacker claims to be able to kill the engines of vehicles being driven by employees.

How can this happen?

Like many devices, they come with default passwords (e.g., 123456) which are among the most popular passwords and the least secure. According to the reports, the hacker acquires the usernames and then uses the anticipated default passwords to gain access to the account.

So, what can employers do?

I came across this NIST blog post which was a fun read and provided some excellent tips which basically boil down to the following:

  • Change default passwords! (And, not just for GPS trackers)
  • Develop passphrases – they generally are easier to remember and harder to crack.
  • Don’t store your passwords or passphrases on your devices.
  • Don’t use the same password or passphrase for all of your accounts, and certainly not your most important accounts.
  • Change your passwords and passphrases regularly. With billions of usernames and passwords being shared by hackers, it is possible that they have yours.
  • Don’t rely solely on passwords or passphrases. Adopt multifactor authentication.

When organizations roll out new technology, they simply have to add security considerations to list. This includes making sure default passwords are changed.

CCPA: Employee Personal Information on the Chopping Block

How will the California Consumer Protection Act (CCPA) apply to us? This is a question 0rganizations have asked since the CCPA was first proposed. There remains a number of important questions about the scope of the Golden State’s sweeping privacy law that still need to be answered.

One of those questions is whether the CCPA will reach employee data; that is, are an organization’s employees “consumers” under the law. Earlier this week, the California Assembly Privacy and Consumer Protection Committee started working through a number of bills addressing the CCPA. Included in those bills is AB 25, authored by the Committee Chairman, Ed Chau, which addresses this issue.

The Committee unanimously approved AB 25 which modifies the definition of “consumer” to exclude

a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business. 

If signed into law, this change would be welcomed news for organizations already struggling with other aspects of CCPA compliance. However, organizations still may have CCPA issues to consider with respect to their employees.

Individuals can be employees and consumers of the same organization. In that case, an organization might want to consider, for example, how a dispute over its handling of a request for deletion of consumer personal information belonging to an employee/consumer could spill over into the workplace. Likewise, employers may have engaged certain third party vendors to provide certain products or services to employees. In certain circumstances, employers have a duty to obtain written assurances from those vendors that they will safeguard the employee personal information provided to these vendors. Employers will have to consider whether those assurances should include CCPA compliance, or will a “compliance with all laws” clause be sufficient.

Additionally, with the significant media attention to the CCPA and other privacy developments, such as the European Union’ General Data Protection Regulation (GDPR), employees may get confused about whether their rights under the CCPA as consumers also extend to the workplace. Some organizations may already extend CCPA-like protections to employees, perhaps flowing from global privacy policies driven primarily by GDPR. However, organizations that have not taken that approach need to be prepared to respond to demands from employees concerning their personal information. “The CCPA does not apply” may not be the right answer in light of the fact many states provide certain rights to employees concerning their personnel file and personal information. In California, for example, current and former employees have the right to inspect and receive a copy of the personnel files and records that relate to the employee’s performance or to any grievance concerning the employee. Cal. Labor Code Section 1198.5.

Further, regardless of the ultimate amendments to CCPA, there continues to be a growing trend for states to propose and implement privacy protections related to the data organizations collect.

We will be following the fate of AB 25 and the other pending CCPA bills. If CCPA is amended by AB 25 as currently drafted, it will be a relief for CCPA-covered entities, but it will not entirely eliminate the potential implications CCPA (or other state laws) may have on the workplace.