Privacy & Information Security Law Blog

A number of bills to amend the California Consumer Privacy Act of 2018 (“CCPA”) are still pending before the California legislature. Of particular interest to many businesses is AB 25. AB 25 would exempt from the CCPA’s application “[p]ersonal information collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” if the personal information is collected and used by the business solely within the context of the person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. The bill also would exempt from the CCPA’s application emergency contact information of these exempted categories of individuals and information necessary to administer benefits for persons related to such individuals.  Notably, AB 25 does not appear to exempt business-to-business customer representatives or representatives of other third-party business partners.  AB 25 also would authorize a business to require authentication of a consumer that is reasonable in light of the nature of the personal information requested. The bill further would authorize a business to require a consumer to submit the consumer’s verifiable request through the consumer’s account, where the consumer maintains an account with the business.

In a Senate Judiciary Committee hearing on July 9, 2019, the bill’s author agreed to further amend AB 25 so that certain disclosure obligations set forth in Section 1798.100(b) and the law’s private right of action for data breaches set forth in Section 1798.150 would continue to apply to all California residents, including in the employment context. If AB 25 is enacted in its revised form, a covered business would be required to inform its employees, job applicants, and other enumerated individuals performing roles within the business’s employment context as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. Such notice would need to be provided at or before the point of collection, and the business would be prohibited from collecting additional categories of personal information or using personal information for additional purposes without first providing notice of such additional collection or use. The CCPA’s other requirements, however, would not apply to these exempted categories of individuals, including the rights made available to consumers under the CCPA.

For employers, the good news is that the revisions to AB 25 may increase the likelihood of the amendment being enacted, thereby relieving employers of many of the CCPA’s obligations that pose challenges in the employee/employer context (e.g., more rigorous disclosure obligations, access and deletion rights).

The revisions to AB 25 also include a provision that would sunset the employee exemption on January 1, 2021. The sunset provision is intended to create an incentive for proponents of the employee exemption to collaborate on further legislative attempts to protect employee privacy in an appropriate manner.

Visit Hunton’s CCPA Resource Center for more information on the CCPA.