Deadline Looms for Employers to Provide CCPA Notices

Q.  What are my company’s obligations under the California Consumer Privacy Act?

A. The California Consumer Privacy Act (CCPA) will take effect on January 1, 2020. On or before that date, businesses that employ California residents, retain California residents as independent contractors, or receive job applications from California residents must provide those individuals with notices detailing (1) the categories of personal information that the employer collects about them and (2) the purposes for which the personal information will be used. The CCPA requires that businesses provide these notices “at or before the point of collection” of personal information.

“Personal information” is defined broadly in the CCPA and includes items such as Social Security numbers, bank account numbers, education and employment history, characteristics of a protected classification under California or federal law (such as race, religion, gender, disability and age), biometric information, medical and health insurance information, and certain metadata, such as device IP address. In the employment/independent contractor context, businesses collect personal information for purposes such as onboarding, conducting background checks, managing the employment/contractor relationship (including payment of wages/fees, time records, direct deposit authorization, etc.), and preparing legally required records (including I-9 and EEO-1 forms). Businesses should consider incorporating the CCPA notice in the following documents and locations, as well as posting it where other notices are posted:

  • employee handbooks
  • offer letters
  • other new hire paperwork
  • employment agreements
  • restrictive covenant agreements
  • online job application portals.

In addition to requiring notice to individuals, the CCPA’s notice requirement extends to “personal information” related to households, which would include medical and health insurance information about an employee’s beneficiaries. Businesses should assess how to comply with their obligation to notify households in the absence of specific guidance, which hopefully will be forthcoming.

Although many employment-related requirements in the original CCPA were suspended until January 1, 2021 by the CCPA amendments, the notice requirement and the private right of action in the event of a data breach are still in effect. Consequently, businesses should properly secure employee, applicant and independent contractor-related personal information to mitigate risk of liability, and develop and distribute mandated notices at or before all points where employee, job applicant and independent contractor personal information is collected. Businesses also should consider what operational steps will be necessary to afford California resident employees, applicants and independent contractors full CCPA rights as of January 1, 2021. Pepper Hamilton LLP can assist businesses in complying with the CCPA.

Sharon R. Klein, Susan K. Lessack, Alex C. Nisenbaum and Jeffrey M. Goldman

Using Employees’ Fingerprints for Timekeeping: Protecting Employee Data and Minimizing Risk

Q.  Can my Company institute a timekeeping system that uses fingerprints to track time?

A. Employers increasingly maintain timekeeping systems that require employees to clock in and out of work using their fingerprints to reduce the risk of coworkers clocking in for each other (so-called “buddy punching”) and to increase the accuracy of time reporting. Fingerprints are biometric data, and some employees fear that their data could be stolen or sold, leading to identity theft. The damage caused by identity theft is greater when biometric data is stolen because, unlike Social Security numbers or other personally identifiable information, an individual’s biometrics cannot be changed.

At present, there is no federal statute regulating employers’ use of employees’ biometric data, and just three states — Illinois, Texas and Washington — have laws that specifically regulate biometric privacy.1

For more information about this topic, click here.

Susan K. Lessack