Returning to the Workplace with COVID-19 Precautions: Employers Beware - California Attorney General Poised to Enforce CCPA JULY 1, 2020
Employers taking precautions, including measuring body temperature and other indications of potential COVID-19 positive symptoms to secure their workforces from unnecessary risks of exposure to COVID-19, as workplaces are opening up, may inadvertently create exposure under the CCPA by collecting personal information about employees without providing adequate notice to those employees of the collection. Thus, CCPA covered employers taking these measures should also ensure compliance with the CCPA in the short time before the California Attorney General may commence prosecution of violations of CCPA.
- EMPLOYERS SUBJECT TO THE CCPA
The threshold test to determine whether an employer is required to comply with the CCPA is any of the following three factors apply:
(1) annual sales of $25M or more;
(2) buy, sell, or share for “commercial purposes” 50,000 or more personal records; or
(3) derive 50% or more of its annual revenue from selling “personal information.”
This determination is made based on the employer’s direct or indirect business. An entity that is a parent or a subsidiary of an entity that meets the threshold and shares common branding, such as franchisees, is subject to the CCPA.
“Personal records” or “personal information” identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including 11 categories of consumer information such as name, address, personal identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, biometric information, characteristics of protected classifications, internet browsing history, geolocation data, education information and more. The information may be in document or electronic format.
Even though the CCPA was originally written with an intent to protect consumers from having their personal information exploited against their wishes, modifications to the statute continue to take place, several of which impact employers in their role as an employer. For the latest information about the CCPA and modifications since its inception, see the attached link to the California Attorney General’s CCPA webpage: https://oag.ca.gov/privacy/ccpa.
- WHAT EMPLOYERS SHOULD DO TO PROTECT AGAINST PROSECUTION
The CCPA requires employers to give California employees and job applicants notice about the categories of employee personal information that the employer maintains and how that information is used. This disclosure must be made before or at the time the employer receives the personal information that is collected. Employers should not collect new information collection or use the already collected information without providing notice. Cal. Civ. Code § 1798.100 (b). Covered employers considering requiring returning employees to take and report body temperatures or COVID-19 testing results should ensure that employees and applicants are advised of the collection and that the results will be maintained for work eligibility purposes.
- Data Mapping
Covered employers who have not, yet, prepared a CCPA Notice for their workforce, should undertake data mapping to identify the personal information that the employer maintains. A data map examines different collection sources and the personal information that may be contained in them. A data map assists an employer with understanding what information it may have, where it is located, and who has access to it, which is important generally for information governance and cybersecurity, and can be especially critical for privacy compliance.
- Mandatory Notice
The notice to applicants and employees should be:
- drafted in plain, straightforward language;
- easily readable, including on small screen (phones);
- in the language used in the ordinary course of business to communicate with the relevant population;
- able to identify the type of personal information that the employer collects;
- descriptive of the purposes for which the business will use personal information;
- accessible to the disabled or provide information on how a California resident or employee with a disability may access the notice in an alternative format.
An employer may deliver notice to employees by, for example, posting it on the corporate intranet, sending it to California employees by e-mail or text message a link to the notice, sending the notice as an attachment to an e-mail, including the notice among the documents presented on an onboarding platform, sending the notice by U.S. mail, hand-delivering the notice or enclosing it with paystubs or other communications to all employees.
Employers should note that HIPAA protected information such as that which is accumulated for health insurance purposes is expressly excluded from the CCPA and employers are not required to provide notice concerning the collection of HIPAA-covered health benefits.
- Data Security
Employers must put in place “reasonable security measures” to prevent data breaches that would lead to unauthorized access to employee personal information such as social security numbers, medical leave requests, warnings/disciplinary actions, performance evaluations, drug tests, etc. Unfortunately, neither the CCPA nor the California Civil Code defines what “reasonable security measures” entails. The California Attorney General endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. These measures include:
- implementing host-based firewalls, spam filters or port-filtering to prevent unauthorized access;
- data protection/system backups;
- removing sensitive data or systems from the network and limiting access based on the need to know;
- training employees to identify, report and not respond to phishing attempts;
- maintaining an active inventory of hardware devices and ensuring only authorized devices are connected to the network;
- ensuring software is up to date from official sources;
- changing default passwords especially on newly issued hardware;
- installing anti-virus and anti-malware software on all devices;
- training employees on how to identify and properly store, transfer, archive, and destroy sensitive information.
Employers should work closely with their IT personnel and counsel to implement the appropriate level of security controls.
Employees now have the right to bring a private right of action against any employer where a lack of reasonable security leads to unauthorized access and exfiltration, theft, or disclosure of non-encrypted or non-redacted personal information of employees. Cal. Civ. Code § 1798.150. Remedies include injunctive relief and damages of no less than $100 and no more than $750 per consumer per incident.
The time for the California Attorney General to commence enforcement actions is coming soon, July 1, 2020. Employers have little time to get compliant with the CCPA’s Notice requirement and are encouraged to do so in conjunction with efforts to return to work. It is incumbent that all employers have data security protocols in place to fend off potential liability for data breaches.