- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does the CCPA apply to the personal information of employees?
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute apply to the business’s employees.
While the CCPA applies to data collected about employees, the California legislature passed an amendment in 2019 (Senate Bill 25) that effectively phased-in the rights afforded to employees over the course of 2020. Pursuant to the amendment, those provisions of the CCPA found within Sections 100(b) and 150 applied immediately to employees.2 These included the obligation that a business inform an employee “at or before the point of collection” of the personal information to be collected and the purposes for which the information will be used.3 They also included the ability of an employee to bring suit if an employer failed to adequately protect sensitive category information.5 Employee’s personal information was exempted from other provisions of the CCPA until January 1, 2021 (e.g., access rights, deletion rights, sale rights, etc.).5
If a business receives a right to be forgotten request from an employee, or a former employee, does it have to delete the requestor’s information?
As an initial matter, employees that are residents of California will not qualify as full “consumers” under the law until January 1, 2021. Pursuant to an amendment to the CCPA enacted in 2019, the title shall not apply to “[p]ersonal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.”1 As of the date of this writing, this provision will expire on January 1, 2021, and employees will be considered full “consumers” under CCPA on that date.
That said, assuming that employees are consumers, there are a number of exceptions to the consumer’s right to deletion that may be applications. Specifically, the business may argue that the employee’s request for deletion cannot be granted based on one or more statutory exceptions outlined above. In particular, the business may argue that it has a legal obligation to retain the data, and that the data is required to carry out a transaction with the employee.2 This list is by no means exhaustive. Finally, it should be noted that even apart from the specific exceptions to the consumer’s right to deletion articulated in section 1798.105 of CCPA, the business also is not required to take any action that would violate other state or federal obligations imposed upon it, including federal employment laws.3
CCPA Privacy FAQs: Is a Service Provider Responsible if its Client Violates the CCPA?
In order to be considered a “service provider” for the purposes of the CCPA, a vendor must be bound by a written contract that prohibits it from:
- retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”
- using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,” or
- disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”
If a service provider negotiates an agreement with a client that contains the three provisions above, the CCPA states that the service provider will “not be liable” in the event that it’s client fails to fulfil the client’s obligations as a “business” under the Act. So, for example, a service provider should not be liable if its client fails to post a privacy notice, inaccurately describes its sharing practices, or fails to disclose that it has transferred personal information to the service provider.