The California Consumer Protection Act and You - Midwestern Based Employers Take Note

Feb 2, 2020 | John C. Gardner

Am I Right that Midwestern-Based Employers Don’t Need to Be Concerned About The CCPA?  Please Tell Me I’m Right (Because I’m Getting A Little Worried Now)

You may be wondering why an attorney based in Madison, Wisconsin, is writing an article about the new California Consumer Protection Act (“CCPA”).  And that would certainly be a fair question.  I do not generally make it a practice to write about California laws.  However, I felt that I needed to make an exception here.  As you have likely guessed from the title above, certain employers based in the Midwest really do need to be concerned with the CCPA. 
So, what is the CCPA?

The CCPA is a consumer privacy law that, among other things. imposes various obligations on businesses seeking to obtain “personal information” from California residents, provides those residents with various rights, including the right to seek legal relief in certain circumstances, and provides for penalties in the event that businesses violate their obligations.  

Okay, what is “personal information”?  

The CCPA defines “personal information” broadly to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).  At a minimum, this information includes a resident’s “real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers” – in other words, information that employers regularly collect from their employees, job applicants and independent contractors.  

So, as an employer based in the Midwest, how could the CCPA apply to me?

It is probably obvious that employers with any degree of a physical presence in California should take a hard look at whether the CCPA imposes any obligations on them.  However, employers without any California physical location are not necessarily in the clear and could very easily be subject to the law.

By its terms, the CCPA applies to an employer if it: 1) does business in California; 2) collects personal information from one or more California residents; and 3) collects $25 Million or more in annual revenue [1]
.  Consequently, assuming that an employer conducts at least some degree of business in California and satisfies the revenue threshold, it will be subject to the law, without regard to whether or not it has a physical presence in the state, if it happens to employ any individuals who reside in California (i.e., a salesperson, a remote worker, etc.), or happens to accept any job applications from California residents.  

What are an employer’s obligations if the CCPA does apply?

Employers subject to the law need to get CCPA-compliant notices in place as soon as possible (technically, the notices were due no later than January 1, 2020).  At a minimum, the notices are required to set forth information regarding the categories of personal information the employer collects with respect to its California employees and applicants, the uses to which the employer puts that information, and the fact that California residents could have a private right of action against the employer if a data breach occurs, among other things.  These notices should be given to existing California employees through an employee handbook update or separate written policy, and should be included in any job application process pertaining to a California resident.  

In addition, if subject employers do not already have appropriate measures in place, they need to implement reasonable security measures and practices with respect to the personal information they collect/have already collected from California residents.          
Finally, because California is still working on permanent answers to the questions of how and to what extent the CCPA applies to employers, subject employers need to monitor the issue going forward and should prepare themselves for revisions (and, perhaps, additions) to their legal obligations in the future.   

Please contact John Gardner or any other member of DeWitt’s Employment Relations practice group if you need any assistance with respect to the CCPA, or just want to vent about the extreme breadth and broad reach of California’s employment (and general) laws.

[1] The CCPA also applies to business entities that buy, receive, or share personal information of 50,000 or more consumers, households, or devices, and/or derives 50% or more of their annual revenues from selling the personal information of California residents.