August 5, 2019
If you have been following the California Consumer Privacy Act (CCPA), you know that employers have been hoping that it would be amended to exclude employee information from its coverage. As currently written, it is understood than an organization’s job applicants and employees are treated “consumers” under the law, making the personal information collected, processed, and stored by employers susceptible to regulation by the CCPA. As currently written, employees would have the right under the CCPA to request access to the information their employers have collected regarding them but also to request that their employers (or former employers or organizations they applied to) delete their personal information. The deletion exemptions in the CCPA would then require employers to do a nuanced study of how to comply with the request while maintaining the information that the CCPA would exempt for various reasons, such a regulatory records requirements.
Recognizing the morass that employers faced regarding employee data under the CCPA, California Assembly Privacy and Consumer Protection Committee Chairman Ed Chau authored an amendment (AB 25). AB 25 sought to exclude employee data from the CCPA’s definition of consumer personal information and was approved unanimously in the California Assembly.
The bill changed the CCPA’s definition of consumer so that it excluded any “natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person;s personal information is collected and used solely within the context of the persona;s role as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business.”
Many anticipated that this amendment could be used as a shield whereby personal information gathered in the employment context would be excluded entirely from the coverage of the CCPA. However, AB 25 is now moving through the California Senate, and the Senate Judiciary Committee amended it in July before sending it on to the Committee on Appropriations.
Original support for AB 25 was based primarily on the idea that the CCPA was intended to protect consumers and that individuals acting in their capacity as employees were not acting as consumers. The amendment to AB 25 was the result of an opposition coalition that argued the AB 25 employee data exemption as originally written would erode the rights of “employee consumers.” Consumers in their capacity as employees give companies access to extremely sensitive information ranging from social security numbers to credit and background checks, and opponents to AB 25 expressed concerns that employers may go even further in invading employees’ privacy via technological surveillance.
The idea of an “employee consumer” may seem strange, but the coalition to protect them formed to combat a problem that has not been addressed more directly by other laws. A number of data breaches in recent years highlight the need to protect employee data. The 2014 (announced 2015) US Office of Personnel Management data breach, for example, exposed the records of millions of current and former government employees and other individuals who had undergone government background checks. In July 2019, Honda had an employee information data breach. In 2018, department store powerhouse Nordtstrom experienced one. Less well-known in the US but perhaps more concerning, Sage, a UK company that handles payroll and other employee data for its clients, experienced a breach that exposed the employee information from hundreds of UK companies in 2016. Since no other protective action was being taken, US privacy proponents took the opportunity to sweep employees into the “consumer” definition, forcing covered businesses that have not already done so to take steps to impose new security protocols that protect employee data.
Given the strength of the opposition to AB 25 in its original form, Assemblyman Chau authored an amended version that excluded employee information from many, but not all, of the CCPA’s requirements. It now reads, “[t]his bill would exempt, until January 1, 2021, from all provisions of the [CCPA], except the private civil action provision and the obligation to inform the consumer as to the categories of personal information to be collected … information collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, as specified.”
Under this change, “consumer employees” retain a private right of action if their personal information is subject to a data breach that is the result of a business’s failure to fulfill its CCPA-imposed duty to implement and maintain reasonable security protocols. This change to AB 25 represents a balance between consumer concerns that companies are not protecting employee data and companies’ concerns that employees, former employees, or former job applicants might try to leverage the CCPA for purposes outside the intended privacy protections.
Assemblyman Chau described the changes to AB 25, writing that the new “language mitigates some of the concerns about employers secretly surveilling their employees. Although it would not allow employee consumers access to the specific pieces of information collected or the right to limit the sale of such information, the provision would now require employers to inform employees what types of information they are collecting on the employees and the reasons for so collecting it. This will create a layer of transparency . . . .”
The new sunset provision for AB 25 will end all of the employee exemptions on January 1, 2021, one year after the CCA goes into effect. We anticipate additional legislation addressing the CCPA’s interaction with and governance of employee data before the sunset provision activates. However, if no clarifying legislation can pass, employers will find themselves in the same position a year from now as they try to decide what, if any, new controls they need to implement regarding their employee data.
AB 25 is now before the California Senate Appropriations Committee with a hearing scheduled for 12 August 2019. Even if it passes through the Committee and the Senate, AB 25 will still have to go back to the California Assembly for approval since it has been amended since its passage there.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth
About The Author: Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income.
Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as General Counsel allows her to field-test SixFifty’s products to ensure they’ll work for customers.
Education and Experience
Marie attended Brigham Young University, and spent most of her undergrad studying International Politics and Development. It was during a field study in South Africa that she first decided to become a lawyer. As she researched the new South African constitution and worked with community organizers, Marie became fascinated with the development of the rule of law and how it in turn fosters economic development.
After undergrad, she attended BYU Law, where she continued focusing on improving equity, specifically through access to justice. She spent time interning with a nonprofit at the Human Rights Council in Geneva and with the United Nations International Tribunal for the Rwandan Genocide. At home, she interned with Catholic Charities, focusing on supporting asylum cases. Marie’s work with communities and governments across the globe broadened her understanding of how the law can either uplift or further harm underserved populations.
After law school, Marie worked as a judicial law clerk for the US Fifth Circuit Court of Appeals. She then practiced commercial litigation in Salt Lake City before returning to BYU Law, where she became an Assistant Dean. During her time at BYU Law, Marie built a diversity recruiting program and a storytelling program. Although she has left academia, she continues to keep a hand in by teaching a legal design class at BYU Law School and an undergraduate international politics class that focuses on development and diplomacy at BYU’s Kennedy Center. Both courses help students increase their community engagement and use their skills to create change.
Achievements with SixFifty
Marie’s work with both SixFifty and LawX focuses on making the law less complicated and
more equitable for both companies and individuals.
Marie’s legal specialty is privacy. She has additional focus areas in legal technology; diversity, equity and inclusion; employment; and compliance. She enjoys the opportunity to build products with the legal product team, including pro bono products. This allows her to work with communities she cares about – and complements the work she continues to do at BYU.
With Marie’s guidance and experience, SixFifty is able to offer privacy products that allow even small companies to easily comply with global privacy restrictions. Her passion for making the law accessible to everyone is evident in our pro bono products, which help individuals access free legal help for common issues.
Get to Know Marie
When she’s not helping to advance SixFifty’s mission, Marie travels whenever she can. Keep your eyes open and you may find her anywhere in the world – one of her favorite trips was a seven-day motorbike tour of northern Thailand. She especially loves to canyoneer in southern Utah and explore wilderness areas.
Marie also continues her community development and education work. She is on the board of several nonprofits, including one that runs primary schools in South Sudan and the Utah Tribal Relief Foundation. She recently joined the board of the Mountainland Association of Governments, which focuses on making loans to entrepreneurs from underserved communities who lack access to traditional funding. She’s also a Model UN legend! She is the Executive Director of BYUMUN, Utah’s premier high school Model United Nations learning conference.
Marie loves podcasts and will nerd out on anything related to the law, the history of the English language, and anything done by the people at Radiolab.
Bar Licensed
Utah
More posts by Marie Kulbeth