California Labor &
Employment Law Blog
Returning to the Workplace with COVID-19 Precautions: Employers Beware - California Attorney General Poised to Enforce CCPA JULY 1, 2020
Apr 27, 2020

Returning to the Workplace with COVID-19 Precautions: Employers Beware - California Attorney General Poised to Enforce CCPA JULY 1, 2020

Topics: COVID-19

Employers taking precautions, including measuring body temperature and other indications of potential COVID-19 positive symptoms to secure their workforces from unnecessary risks of exposure to COVID-19, as workplaces are opening up, may inadvertently create exposure under the CCPA by collecting personal information about employees without providing adequate notice to those employees of the collection.  Thus, CCPA covered employers taking these measures should also ensure compliance with the CCPA in the short time before the California Attorney General may commence prosecution of violations of CCPA.

  1.  EMPLOYERS SUBJECT TO THE CCPA

The threshold test to determine whether an employer is required to comply with the CCPA is any of the following three factors apply:

(1) annual sales of $25M or more;

(2) buy, sell, or share for “commercial purposes” 50,000 or more personal records; or

(3) derive 50% or more of its annual revenue from selling “personal information.”

This determination is made based on the employer’s direct or indirect business.  An entity that is a parent or a subsidiary of an entity that meets the threshold and shares common branding, such as franchisees, is subject to the CCPA. 

“Personal records” or “personal information” identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including 11 categories of consumer information such as name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, biometric information, characteristics of protected classifications, internet browsing history, geolocation data, education information and more.  The information may be in document or electronic format.

Even though the CCPA was originally written with an intent to protect consumers from having their personal information exploited against their wishes, modifications to the statute continue to take place, several of which impact employers in their role as an employer.  For the latest information about the CCPA and modifications since its inception, see the attached link to the California Attorney General’s CCPA webpage: https://oag.ca.gov/privacy/ccpa.

  1. WHAT EMPLOYERS SHOULD DO TO PROTECT AGAINST PROSECUTION
  1. Notice

The CCPA requires employers to give California employees and job applicants notice about the categories of employee personal information that the employer maintains and how that information is used.  This disclosure must be made before or at the time the employer receives the personal information that is collected.  Employers should not collect new information collection or use the already collected information without providing notice.  Cal. Civ. Code § 1798.100 (b).  Covered employers considering requiring returning employees to take and report body temperatures or COVID-19 testing results should ensure that employees and applicants are advised of the collection and that the results will be maintained for work eligibility purposes.

  1. Data Mapping

Covered employers who have not, yet, prepared a CCPA Notice for their workforce, should undertake data mapping to identify the personal information that the employer maintains.  A data map examines different collection sources and the personal information that may be contained in them.  A data map assists an employer with understanding what information it may have, where it is located, and who has access to it, which is important generally for information governance and cybersecurity, and can be especially critical for privacy compliance. 

  1. Mandatory Notice

The notice to applicants and employees should be:

  • drafted in plain, straightforward language;
  • easily readable, including on small screen (phones);
  • in the language used in the ordinary course of business to communicate with the relevant population;
  • able to identify the type of personal information that the employer collects;
  • descriptive of the purposes for which the business will use personal information; 
  • accessible to the disabled or provide information on how a California resident or employee with a disability may access the notice in an alternative format.

An employer may deliver notice to employees by, for example, posting it on the corporate intranet, sending it to California employees by e-mail or text message a link to the notice, sending the notice as an attachment to an e-mail, including the notice among the documents presented on an onboarding platform, sending the notice by U.S. mail, hand-delivering the notice or enclosing it with paystubs or other communications to all employees.

Employers should note that HIPAA protected information such as that which is accumulated for health insurance purposes is expressly excluded from the CCPA and employers are not required to provide notice concerning the collection of HIPAA-covered health benefits.

  1. Data Security

Employers must put in place “reasonable security measures” to prevent data breaches that would lead to unauthorized access to employee personal information such as social security numbers, medical leave requests, warnings/disciplinary actions, performance evaluations, drug tests, etc.  Unfortunately, neither the CCPA nor the California Civil Code defines what “reasonable security measures” entails.  The California Attorney General endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security.  These measures include:

  • implementing host-based firewalls, spam filters or port-filtering to prevent unauthorized access;
  • data protection/system backups;
  • removing sensitive data or systems from the network and limiting access based on the need to know;
  • training employees to identify, report and not respond to phishing attempts;
  • maintaining an active inventory of hardware devices and ensuring only authorized devices are connected to the network;
  • ensuring software is up to date from official sources;
  • changing default passwords especially on newly issued hardware;
  • installing anti-virus and anti-malware software on all devices; 
  • training employees on how to identify and properly store, transfer, archive, and destroy sensitive information.

Employers should work closely with their IT personnel and counsel to implement the appropriate level of security controls. 

Employees now have the right to bring a private right of action against any employer where a lack of reasonable security leads to unauthorized access and exfiltration, theft, or disclosure of non-encrypted or non-redacted personal information of employees.  Cal. Civ. Code § 1798.150.  Remedies include injunctive relief and damages of no less than $100 and no more than $750 per consumer per incident. 

The time for the California Attorney General to commence enforcement actions is coming soon, July 1, 2020.  Employers have little time to get compliant with the CCPA’s Notice requirement and are encouraged to do so in conjunction with efforts to return to work. It is incumbent that all employers have data security protocols in place to fend off potential liability for data breaches. 

About CDF

For over 25 years, CDF has distinguished itself as one of the top employment, labor and immigration firms in California, representing employers in single-plaintiff and class action lawsuits and advising employers on related legal compliance and risk avoidance. We cover the state, with five locations from Sacramento to San Diego.

> visit primary site

About the Editor

Robin Largent has a regular presence in California state and federal courts and has been lead defense counsel and appellate counsel for large and small California employers in litigation (and arbitration) ranging from individual discrimination and harassment claims to complex wage and hour representative and class actions. She also leads the firm’s appellate practice, having substantial experience and success handling appeals, writ petitions, and amicus briefs in both state and federal court on issues such as class certification (particularly in the wage and hour arena), manageability and due process concerns associated with class action trials, exempt/non-exempt misclassification issues, meal and rest break compliance, trade secret/unfair competition matters, and the scope of federal court jurisdiction under the Class Action Fairness Act.
> Contact   > Full Bio   Call 916.361.0991

CDF Labor Law LLP © 2020

About CDF What We Do Contact Us Attorney Advertising Disclaimer Privacy Policy Cookie Policy