The California Privacy Rights Act vs Employee Monitoring
Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) originally came into effect on January 1st, 2020, only a year and a half after it was passed.
Since it’s passing the CCPA has received multiple amendments, the most notable of which being The California Privacy Rights and Enforcement Act of 2020 (CPRA), which grants employees the same rights as any other consumers. The compliance date for the California Privacy Rights Act (CPRA) was January 1, 2023.
In this article I will outline the key takeaways that employers need to know if they wish to monitor employees in the workplace while maintaining compliance with the CPRA and CCPA.
This article is intended for informational purposes only and is not a replacement for consultation with a lawyer
FREE WHITE PAPER
Best Practices for Monitoring Employees
In today’s privacy-conscious world employers need to monitor employees in a way that is transparent, minimally invasive, and respectful of employee privacy.
Want to use monitoring tools to get instant visibility into employee productivity, engagement, and PC usage? Read this white paper to learn the best practices for monitoring employees in the workplace.
JANUARY 2023 UPDATE
On January 1, 2023, absent intervention from the California legislature, the nation’s first comprehensive data privacy law, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), will not only regulate consumer data but will also regulate previously exempt human resources data as well.
The CPRA will apply its heightened data protection requirements regarding limiting processing of sensitive personal information, deletion, and access to the personal information of California employees, job applicants, and contractors.
Phileda Tennant and Olivia Hinerfeld, Vinson & Elkins LLP
As of January 1st 2023 employees have the same CPRA rights that consumers have, which are:
- Right to access the personal information held by the employer
- Right to correction of the consumer’s personal information
- Right to deletion
- Right to opt out of the sale or sharing of personal data
- Right to data portability
- Right to limit the use of their sensitive personal information
- Right to no retaliation for exercising their privacy rights
Employers using employee monitoring tools to collect information about how individual employees work must be prepared to respond to these requests. They must also treat HR data with the same level of care and security controls as they do consumers’ personal information.
JANUARY 2021-2022 UPDATE
On September 29, California Governor, Gavin Newsom, signed an amendment (AB 1281) into law that extends the California Consumer Privacy Act (CCPA) partial employee and business-to-business exemptions until January 1, 2022.
As businesses continue to work through COVID-19 obstacles, these extended exemptions may provide some relief to businesses struggling to comply with changing local, state and federal COVID-19 requirements.
National Law Review, October 2020
Workplace Monitoring Policy Template
- Disclose your company’s intent to monitor employees in the workplace
- Set workplace privacy expectations for employees
- Meet transparency requirements for compliance with privacy laws
Get started today—Download the FREE template and customize it to fit the needs of your organization.
The California Privacy Rights and Enforcement Act (CPRA) vs California Consumer Privacy Act (CCPA)
When the CCPA was originally implemented its scope was focused on bolstering the data privacy rights of California consumers. Over time there have been several amendments to the CCPA to refine how these protections should be extended in the context of B2B and employee-employer relationships. One of these amendments was Assembly Bill 25 (AB25), which was passed on September 13, 2019 and signed into law on October 11, 2019.
When AB25 was passed it provided employers with a moratorium on complying with CCPA with regards to information collected by them “in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.”
A significant portion that AB25 did not amend was requirements for employers to implement reasonable security measures to safeguard employee data and disclosures regarding the categories of personal information they collected about employees and job applicants, as well as the purpose of collection.
The exemptions stipulated by AB25 were originally set to expire on January 1st, 2021, however further amendments from the California Privacy Rights Act of 2020 (CPRA) have since extended this date to January 1st, 2023. It is believed that extended employee and business-to-business (B2B) exemption is intended to provide opportunities for future legislation to be passed that directly governs employee data in an employee-employer relationship.
That said, even before the CPRA comes into effect businesses have existing obligations under the CCPA that they need to be prepared for. Namely, they must provide notices to employment-related data subjects of the data they collect and the purposes for its collection. They must also implement sufficient security measures to prevent misuse or leaks of the data.
Workplace Monitoring Policy Template
- Disclose your company’s intent to monitor employees in the workplace
- Set workplace privacy expectations for employees
- Meet transparency requirements for compliance with privacy laws
Get started today—Download the FREE template and customize it to fit the needs of your organization.
How the California Privacy Rights Act (CPRA) Affects Employee Monitoring
Generally speaking, employers are allowed to use employee and computer monitoring software to monitor company-owned devices so long as there are legitimate business reasons for capturing the data.
The CPRA will still allow for the monitoring of employee computer activity, however employees will be provided with additional rights regarding that data. When the CPRA becomes fully operational on January 1st, 2023 employees will be granted the same protections from their employers that were guaranteed to consumers under the CCPA.
While the CPRA will not become operational until January 1, 2023 and enforcement will not begin until July 1, 2023, its regulations will apply to data collected since January 1, 2022. Employers that are subject to this law must be prepared to adjust how they collect, use, store, and protect employee monitoring data (such as website browsing activity).
The CPRA will provide employees with the right to access, delete, or opt-out of the sale of their personal information, including data collected by employee monitoring software. Employers that collect employee computer activity data must develop systems that allow the deletion of this data on the request of their employees. Their employees will also be granted the right to know where, when, and why their employers are using their personally identifiable data.
Here’s what businesses can do to remain CPRA compliant when monitoring employees in the workplace:
- Transparency: Employers must be transparent with their employees regarding data collection, including data collected through employee computer monitoring software. A notice of collection must include what data the company collects as well as the purposes for its collection.
- Data Security: Employee data must be secured against unauthorized use and data breaches. Employers that are found to not be adequately securing employee data could expect fines ranging from $2,500 to $7,500 per violation.
- Limit Storage: Data collected through employee computer monitoring software must not be stored indefinitely. Once the data collected is no longer relevant to the operation of the business it must be deleted to reduce the potential impacts on the employee following a data breach.
Even if your company isn’t based in California or employing workers in California, the data privacy revolution is well under way. To best prepare for business continuity you should operate under the assumption that legislation that is substantially similar to GDPR, CCPA, and CPRA will impact your business in the future. Implementing measures that allow you to monitor employees while respecting data privacy legislation now will allow you to adjust to future data privacy laws with greater ease.
For more information regarding the differences between the CCPA and the CPRA, visit this article by Manatt.
ORIGINAL ARTICLE
This section is current as of December 20, 2019.
Note: As of July 1st, 2020 the California Consumer Privacy Act (CCPA) is now being enforced.
A new decade is upon us, and with it comes a continuation in the rapid evolution of data privacy laws and regulations. Considered to be the “toughest data privacy law in the United States”, the California Consumer Privacy Act (CCPA) will come into effect on January 1st, 2020, only a year and a half after it was passed.
While amendments to the CCPA are expected to occur after it has passed, companies will still need to be prepared to comply with this new legislation as soon as it comes into effect, with the enforcement of the CCPA starting either six months after the final regulations are published or July 1, 2020, whichever occurs first. With so little time to prepare, we hope that this article gives your business the overview it needs to understand the next steps needed to meet your CCPA compliance needs.
CCPA Overview
What Rights Does the CCPA Grant?
In 1972, California voters amended the California Constitution to include privacy among the inalienable rights of the people. The intention of the CCPA is to continue protecting the right to privacy of Californians by granting them the right to access, delete, and opt-out of the sale of their personal information.
Knowledge of How Their Data Is Used
Under CCPA, consumers are granted the right to request:
- Disclosure of the categories and specific pieces of personal information that a business collects about the consumer
- the categories of sources from which their information is collected
- Why their information was collected or sold
- The categories of any 3rd parties given access to their data
Deletion of Personal Data on Request
Under CCPA, consumers are to be granted to right to request the deletion of their personal data. Once the request is verified as legitimate, businesses will be required to comply with the request within 45 days, with a once-per-customer extension of 45-days permitted to businesses that reasonably require an extension and notify the customer within the initial 45-day period.
The Ability to Opt-Out of Personal Data Collection With No Penalty
Under CCPA, consumers will be granted the option to request that the sale of their personal information by a business be disallowed. Should a consumer exercise this right, businesses are not permitted to discriminate against the consumer.
Examples of discrimination disallowed by the bill include charging a different price and providing a different quality of goods or services to consumers that exercise their right to opt-out of the sale of their personal data. The CCPA gives an exception to the alteration of quality/price under circumstances where “the difference is reasonably related to value provided by the consumer’s data.” CCPA would also grant businesses the option to offer financial incentives for the collection of personal information.
“Opt-in” Requirements for Consumers Under 16
For consumers under 16, the CCPA requires that the sale of their personal information be prohibited unless “affirmatively authorized”, meaning that consumers younger than 16 years of age must “opt-in” to the sale of their personal information by providing explicit permission.
What is “Personal Information” Under CCPA?
At its most basic level, the definition of “personal information” under CCPA refers to any information that can be plausibly linked to a specific household or individual consumer, such as but not limited to:
- Names/nicknames
- Addresses
- IP addresses
- Email addresses
- Usernames
- Social Security Numbers (SSN)
- Phone numbers
- Employment history
- Health insurance information
- Records of products or services purchased
- Browsing history/search history
- Education information
Under CCPA, inferences made using collected data is also protected. This is of special consideration for marketers or other industries creating demographic and consumer behavior profiles.
“Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” – Assembly Bill No. 375, Chapter 55, Section 1798.140(K)
It is important to note that according to the CCPA, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. For a detailed list of what is considered personal information under CCPA, refer to section 1798.140 of Assembly Bill No. 375
Will My Business Need To Be CCPA Compliant?
The CCPA can potentially apply to any for-profit business or associated entity in California, whether or not they physically reside in California, so long as that business collects and controls the processing of a consumer’s personal information while also meeting ANY of the below criteria:
- Collects or sells personal information of California residents
- Has a gross annual revenue in excess of twenty-five million dollars ($25,000,000)
- Annually buys, receives, sells, or shares the personal information of 50,000+ California consumers, households, or devices
- Derives 50% or more of its annual revenues from selling consumers’ personal information
What Constitutes As “Selling” of Personal Information Under CCPA?
The act of “selling” personal data is not exclusive to monetary transactions. According to the bill, the exchange (“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means…”) of personal information in return for “valuable consideration” will also be considered as selling under the CCPA.
While the definition of “valuable consideration” is not explicitly defined in the bill, the California Legislative Information website has previously defined a “consideration” as “any benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.”
CCPA Penalties
The potential penalties for businesses failing to maintain their CCPA compliance requirements will be significant, with violations of the CCPA incurring fines of up to $7,500 per violation. Under the CCPA, data breaches will also be considered the responsibility of the company, with fines of up to $750 per consumer affected in each breach.
How Do I Become CCPA Compliant?
CCPA Compliance Checklist
- Determine whether your business sells personal information of California residents
- Ensure that your data infrastructure allows you to readily consolidate and report the personal information you have collected of individuals
- Provide a minimum of two (2) methods for California consumers to request access to the personal information held by your business, including a toll-free telephone number
- Upon request, comply with any consumer deletion requests within 45-days of receiving a verified request
- Update your websites to include readily visible disclaimers that your company sells personal information, and provide a “clear and conspicuous” link titled “Do Not Sell My Personal Information” that will allow users to opt-out
- Update your privacy policies to include a section detailing the privacy rights of California residents
The Future of Data Privacy Legislation
With consumer privacy regulations expected to take center-stage in the coming decade, businesses that are not directly affected by the California Consumer Privacy Act should still ensure that they are in the best position possible to adapt to future privacy regulations. Legislation such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Europe’s General Data Protection Regulation (GDPR), and Nevada’s Senate Bill 220, along with various other local privacy and data legislation, are going to continue to influence how businesses are expected to operate.
If you would like to see the entire unedited assembly bill detailing the CCPA, visit the link below:
Full text of AB375, Title 1.81.5,” The California Consumer Privacy Act of 2018, CCPA” : https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
More Resources
- When Is It Illegal to Monitor Employees in California? | Polaris Law Group
- Workplace Surveillance: What Employers In California Need To Know | California Lawyers Association
- Workplace Privacy in the State of California | State Of California Department Of Justice Office Of The Attorney General
Improve Employee Productivity With
CurrentWare’s Remote Employee Monitoring Software
Ready to get advanced insights into how your employees spend their time? Reach out to the CurrentWare team for a demo of BrowseReporter, CurrentWare’s employee and computer monitoring software.
- Improve Productivity
Track unproductive web browsing and idle time to detect time-wasting - Save Time With Intuitive Reports
User-friendly reports make it easy to understand employee computer activity - Enhance Visibility
See how employees spend their time—even on Terminal Server and Remote Desktop Services!