On March 25, 2019, California Assembly Member Ed Chau introduced Assembly Bill 25 (AB 25) to amend the definition of “consumer” under the California Consumer Privacy Act of 2018 (CCPA) set to take effect on January 1, 2020. This amendment would expressly exclude employees, contractors and agents from the definition of “consumer” under the CCPA. On Tuesday, April 23, AB 25 cleared a large hurdle when the Assembly’s Committee on Privacy and Consumer Protection voted unanimously to advance it along with seven other industry-backed bills in a bid to clarify key parts of the CCPA.
If passed, AB-25 would amend Cal. Civ. Code 1798.140(g)(2) to carve-out from the definition of a “consumer”: “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.” Chau states the intended effect of AB 25 more simply: “where the person’s ‘employee hat’ is on, the CCPA rights do not apply. Where the same person’s ‘employee hat’ is off, the CCPA applies.” In addition, Chau indicated that AB 25 also exempts data collected and used solely in the context of a business-to-business relationship (think: employee data collected by a customer and transferred to business performing outsourced job functions).
Many California employers have expressed concern regarding the employer-employee relationship under the CCPA. Subject to certain exceptions, the CCPA as currently drafted will allow employees to request their employer provide portable access to their personal information, delete certain personal information from their records, and disclose information about the employer’s personal information collection and sharing practices. Assembly Member Chau states these rights could have unintended consequences. For example, an employee accused of sexual harassment could request that complaints about them be expunged from company files under the § 1798.105 right to delete. Another issue: highly sensitive information, like social security numbers, could fall into the wrong hands when a request is made for “specific pieces of information” the business has collected about a consumer as part of the consumer’s employment role pursuant to the § 1798.110 right to know. Employers often maintain more categories of sensitive personal information on their employees than their customers, raising the risk of fraudulent disclosure.
Companies are closely watching AB 25 for another reason: if passed, it would bar employees from bringing a private right of action under the CCPA against a covered business that suffered a data breach arising from a failure to take reasonable security measures. AB 25 would therefore provide some relief for employers from additional private litigation stemming from the myriad consequences of a data breach. But such weakening of consumer private rights appears at odds with recently introduced Senate Bill 561, backed by California Attorney General Xavier Becerra, which is designed to expand the right of Californians to bring private legal actions under the CCPA. These two bills tee up the potential for a “grand bargain” that enhances consumer private rights one the one hand, while excluding employees from exercising those rights against their employers on the other. Such a balance may find purchase with both privacy advocates and industry groups alike.
All of eight of the bills passed by the Committee still need to clear the entire state Assembly before moving to the Senate. It seems likely that AB 25, at least, will eventually pass both houses and become law, given the strong interest in maintaining the current employer-employee relationship status quo.