Employers, you are not out of the CCPA woods yet.

If you have been tracking the proposed amendments to the California Consumer Privacy Act (CCPA), you know that businesses and stakeholders have been clamoring to shape the new sweeping law in a number of ways. We reported earlier this year on some of the potential changes approved by the California Assembly Privacy and Consumer Protection Committee, which moved on for further consideration. Upon arrival at the Senate Judiciary Committee, several of these business-friendly changes met some resistance, including AB 25 which generally would have excluded employee personal information from being covered under the CCPA.

While employers had hoped AB 25 would amend the CCPA to exclude information gathered in the employment context outright, on July 9, 2019, the California Senate Judiciary Committee clarified that will not be the case.

As we previously noted, the Privacy and Consumer Protection Committee in April unanimously approved AB 25 which sought to modify the definition of “consumer” under the CCPA to exclude “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person’s personal information is collected and used solely within the context of the person’s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”

A coalition in opposition to AB 25 expressed concerns that the exemptions go too far in eroding the rights of employee consumers, especially in light of current and future workplace monitoring practices. In response to these concerns, the bill’s author, Assemblymember Ed Chau, agreed to amend AB 25 to clarify that while employee data would be excluded from many of the CCPA’s requirements (including permitting consumers to request: the deletion of their personal information; the categories of personal information collected; the sources from which personal information is collected; the purpose for collecting or selling personal information; and the categories of third parties with whom the business shares personal information), employers subject to the CCPA would still be required to inform consumers (including employees) as to the categories of personal information they collect and the purposes for which such personal information shall be used.

Notably, AB 25’s exemption for employee data would not apply to the CCPA’s subdivision which establishes a private right of action, including those brought as a class action, for any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. This private right of action establishing statutory damages permitting the recovery of damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

To afford business and consumer groups time to develop additional legislation to address concerns about employee personal information, Assemblymember Chau further revised AB 25 to specify that the exemption for employee data would only be effective for the 2020 calendar year and would be inoperative on or after January 1, 2021.

As amended, AB 25 unanimously passed through the Senate Judiciary Committee and will now go to the Senate Appropriations Committee, and if passed, to a full Senate for a final vote. AB 25’s amendments highlight the growing recognition of privacy interests in the employment context and the need for businesses to continue to prepare for the CCPA’s effective date.

Tags: access, breach, business, California, California Consumer Privacy Act, CCPA, data breach, Data Security, employee, employer, monitoring, personal information, privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Related Posts
New CCPA Regulations Go Into Effect, Updated FAQs Summarize Key Compliance Requirements
January 22, 2026
Understanding California’s New CCPA Cybersecurity Audit Requirements
December 8, 2025
The CCPA and Automated Decision-Making Technologies (ADMT)
November 25, 2025