With so many businesses moving commercial operations online, it is imperative for consumer data to be protected. California has been leading this endeavor in the United States, creating laws that govern how companies use the personal information they collect about their customers. The most important one is the California Consumer Privacy Act of 2018 (CCPA).
Whether you sell goods or are a service provider under CCPA, sometimes it’s difficult to determine who exactly is a consumer, especially when your employee is one. So the critical question is: does CCPA apply to employees?
What Is The CCPA?
The CCPA is the legislation that gives consumers more control over their personal data collected by businesses. Data collection occurs whenever an individual makes an online purchase, inquiry, or other transaction. Every company that transacts with California residents should understand and regard CCPA compliance requirements. Failure to do so runs the risk of incurring some hefty fines.
But does CCPA apply to companies outside California? The simple answer is yes. This act applies to companies without any physical stores in California, as long as they meet one or more of these criteria:
- Have an annual gross revenue of more than $25 million.
- Buy, sell, receive or share personal information of 50,000 or more residents of California with the intent to make a profit.
- Fifty percent or more of their annual revenue comes from selling personal information collected from Californians.
How Does CCPA Apply To Employees?
While the initial intent of CCPA was to safeguard consumer privacy, it doesn’t give a clear definition of who the consumer is, making it a challenge to separate employees from consumers. Currently, this privacy act defines a consumer as anyone residing in California, meaning that the personal information of company employees who live in California and transact with your business are also protected under the CCPA.
Furthermore, your company doesn’t need to have an actual commercial transaction with a person for them to qualify as a consumer. If you collect personal data from job applicants or employees living in California, you must comply with the CCPA. This act also applies to the data collection involved in business-to-business (B2B) relationships.
The California legislature amended the CCPA in 2019 to exempt employees’ data and information shared in a B2B setting. The California Privacy Rights Act (CPRA) of 2020 further extended these exemptions. Current CCPA amendments expire in January 2023, but your business will still have CCPA obligations related to B2B contacts and employees after the amendments expire.
As a business owner, you will receive hundreds, if not thousands, of job applications and evaluation requests. These applications contain personal data about applicants and employees, including contact information, age, religion, gender, education, etc. It’s tough for you to keep track of these details for CCPA compliance. Even deleting such an extensive database can pose a real challenge.
Thankfully, the recent amendments to the CCPA have offered some exemptions around the personal data you collect about job applicants, employees, owners, directors, officers, medical staff members and independent contractors. Nonetheless, these exemptions are only applicable if you use the information in relation to the person’s current or previous role in the company. Therefore, if one of your employees is your customer, the personal data you collect about them while acting as a customer is subject to the CCPA.
The amendments exempt personal data obtained from employees for emergency contact information and to administer employee benefits. You must notify the employee or job applicant you intend to collect their data and why you need it. Also, this data is not exempt from the CCPA’s privacy right of action. Therefore, a consumer can sue you for unauthorized access to their data.
The CCPA amendments also offer exemptions for B2B contacts. A B2B consumer is any person acting as an employee, director, officer, contractor or owner of a business. Therefore, you don’t have to disclose your information to the B2B consumer. They also don’t have a right to know the personal data you collect about them, and they don’t have the right to ask you to delete it.
As the amount of data swirling throughout the world grows each day, so does the consumers' right to protect their personal information. Legislation like the CCPA helps protect the public, and it is imperative to follow the law to the letter for your business to thrive.