Employees have a right to notice under the CCPA. As noted, the CCPA's definition of "consumer" covers all California residents, meaning:
While we normally think of "consumers" as "customers" or "potential customers," this definition of "consumer" includes employees of your business.
Extending all the CCPA's provision to all employees will require a lot of work. Accordingly, in October 2019, that State of California enacted Assembly Bill 25 (AB-25, available here) in order to give businesses some breathing space.
Here's the relevant part of AB-25:
AB-25 states that until January 1st, 2021, a business will not have to comply with the CCPA in respect of its:
However, there is one provision of the CCPA that businesses must comply with in respect of their employees even before 2021 (i.e. now): providing Notice at Collection for employees.
The CCPA's Notice at Collection requirements are mostly the same in respect of your employees as they are in respect of all other consumers.
Your Notice at Collection for employees must:
At least until the CCPA is finalized in 2021, there are two differences between a Notice at Collection for employees and a Notice at Collection for non-employees. In your Notice at Collection for employees:
You should provide useful information, including:
You should provide Notice at Collection for employees whenever you collect employees' personal information. Consider including a Notice at Collection with employee handbooks, terms of employment, internal policies, etc.
Until at least 2021, there's no need to provide a Privacy Policy for employees. However, some businesses have already created such a document.
Here's an excerpt from a Privacy Policy for employees produced by Cohn Restaurant Group:
Most businesses currently providing a Privacy Policy for employees have created a document that effectively serves as a Notice at Collection for employees, i.e. it explains what categories of personal information the business collects for what purposes.
Here's an example from Trendmaker Homes:
For now, this is acceptable. From 2021 onwards, your Privacy Policy for employees could look very different. For example, unless the CCPA changes, your Privacy Policy for employees will need to provide information about how your employees can exercise their CCPA rights.
For now, there is no need to provide Notice of the Right to Opt Out or Notice of Financial Incentive to your employees.
There had been concern among businesses that certain practices involving the collection and sharing of employment data would be considered a "sale." For example, sharing employee data with third-party providers for the purpose of providing benefits.
However, the Proposed Regulations released in February 2020 (available here) clarify that the collection and use of employment-related information for providing benefits constitutes a "business purpose" rather than a sale.
Therefore, for most employers, there should be no need to provide Notice of the Right to Opt Out for employees. A Notice of Financial Incentive also does not apply to employment-related activities.
The table below explains which notices you must provide to which types of consumers:
Public | Employees | |
Notice at Collection | Provide now | Provide now |
Privacy Policy | Provide now | Provide after Jan 1st, 2020 |
Notice of the Right to Opt Out | Provide now | N/A |
Notice of Financial Incentives | Provide now | N/A |