On October 11, 2019, Governor Gavin Newsom signed into law Assembly Bill (AB) 25, which amends the California Consumer Privacy Act of 2018 (CCPA). AB 25 seeks to ease the pain for employers struggling to comply with the CCPA, which goes into effect on January 1, 2020.
The top three things that employers should know about AB 25 are:
- An employer still has the obligation to inform job applicants, employees, owners, directors, officers, medical staff, or contractors (collectively, “employees”) about the categories of personal information to be collected.
- An employee may still bring a private civil action against an employer that violates its duty to implement reasonable security procedures and practices if that failure results in the employee’s personal information being subject to unauthorized access and exfiltration, theft, or disclosure.
- The exemptions under AB 25 expire on January 1, 2021. After that date, the entire CCPA is applicable unless the CCPA is amended again. Quite possibly, the California Legislature will pass an employee-specific privacy bill in 2021 that may solve many of the issues created by the CCPA’s defining consumers to include employees.
If the CCPA applies to your business, the following are some action items that may be required under AB 25:
- Providing notices to job applicants before personal information is collected
- Providing notices to employees on or before January 1, 2020
- Creating/revising internal policies for the collection and handling of employee personal information
- Training people who handle employee personal information
- Reviewing services contracts (payroll, benefits, etc.) and implementing addenda to those contracts to ensure personal information is being handled properly.