CCPA Compliance Concerns for Employers as California Employees Return to the Workplace

Pillsbury - Internet & Social Media Law Blog

Pillsbury - Internet & Social Media Law Blog

[co-author: Abraham Gomez]

As California reopens from the COVID-19 pandemic and workers begin returning to work in-person, many employers have begun requesting their employees provide, sometimes on an ongoing basis, certain health information before returning to the workplace. This includes information such as temperature checks, health surveys, COVID-19 test results, or proof of vaccination status. Given the likelihood that collecting this information will trigger certain requirements under the California Consumer Privacy Act (CCPA), employers should take certain measures to ensure they remain in compliance with the CCPA as their workplaces reopen.

The CCPA, California’s robust data privacy law that went into effect on January 1, 2020, applies to any employer that is a for-profit legal entity that does business in the State of California, collects the personal information of consumers (California residents), determines the purposes and means of the processing of consumers’ personal information, and meets one of the following thresholds:

  • Has a gross annual revenue of over $25 million;
  • Alone or in combination, annually buys, sells, receives or shares the personal information of 50,000 or more consumers, households or devices (which averages to approximately 137 pieces of personal information per day); or
  • Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

The CCPA defines personal information quite broadly and includes health-related information such as an individual’s COVID-19 vaccination status. While this category of personal information is required to be disclosed under the CCPA, most of the provisions of the CCPA do not apply to information that is collected by a business from or about its employees (current, former and prospective) within the context of the employment relationship. This exemption has been extended until January 1, 2023, due to passage of the California Privacy Rights Act (CPRA).

While the employee exemption strips employees of the rights to request CCPA disclosures or deletion and to tell their employers not to sell their information, CCPA-covered employers are required to provide their employees a notice listing the categories of personal information the employer collects and how that information will be used. Employers are required to update the notice annually and before new types of information are collected or new uses for information are instituted. Therefore, businesses that are subject to the CCPA and that begin collecting COVID-19-related health information from their employees will need to provide, or update, a notice to that effect. This notice at collection must be given at or before the point at which an employer collects the personal information. It must be easy to read and understandable to consumers, list the categories of personal information the employer is collecting, and list the purposes for which the categories of personal information will be used. While employers subject to the CCPA should already have a notice at collection provided to their employees, it is important that the notice be updated to include notice of the type of health information being collected by employees in connection their returning to the workplace.

Employers should also be mindful to not use the information collected for any other purpose unrelated to the employment context. Otherwise, they run the risk of having the collected information fall outside the scope of the employee exception and thus subject to the rest of the privacy rights granted by the CCPA. It should also be noted that if a CCPA-covered business is collecting COVID-19 or other related health information outside of the employment context—for instance, from customers or visitors to their facilities—the business must include disclosures about its collection, use and disclosure of that information in its privacy policy and its CCPA disclosures.

Despite the countless other health and safety concerns businesses face as California and the rest of the country begins to reopen, it is important for them to remain compliant with the CCPA to avoid incurring any enforcement actions by the California Attorney General.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury - Internet & Social Media Law Blog | Attorney Advertising

Written by:

Pillsbury - Internet & Social Media Law Blog

Pillsbury - Internet & Social Media Law Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.