CCPA Employee Notices

Employees have a right to notice under the CCPA. As noted, the CCPA's definition of "consumer" covers all California residents, meaning:

  • Any individual who is located in California for anything other than a "temporary or transitory" purpose (e.g. visitors, tourists)
  • Any individual who is domiciled in California, but who is currently outside of the state for a "temporary or transitory" purpose (e.g. California residents who are on vacation)

While we normally think of "consumers" as "customers" or "potential customers," this definition of "consumer" includes employees of your business.

Extending all the CCPA's provision to all employees will require a lot of work. Accordingly, in October 2019, that State of California enacted Assembly Bill 25 (AB-25, available here) in order to give businesses some breathing space.

Here's the relevant part of AB-25:

California Legislative Information: CCPA AB-25 - Employee exemption

AB-25 states that until January 1st, 2021, a business will not have to comply with the CCPA in respect of its:

  • Job applicants
  • Employees
  • Owners
  • Directors
  • Officers
  • Medical staff
  • Contractors

However, there is one provision of the CCPA that businesses must comply with in respect of their employees even before 2021 (i.e. now): providing Notice at Collection for employees.

Notice at Collection for Employees

The CCPA's Notice at Collection requirements are mostly the same in respect of your employees as they are in respect of all other consumers.

Your Notice at Collection for employees must:

  • Identify the categories of personal information you're collecting
  • Explain the business or commercial purposes for which you'll be using the personal information

At least until the CCPA is finalized in 2021, there are two differences between a Notice at Collection for employees and a Notice at Collection for non-employees. In your Notice at Collection for employees:

  • You may provide a link to your Privacy Policy for employees (if you have one), rather than your main Privacy Policy
  • You do not need to include a link to your "Do Not Sell My Personal Information" page (if you have one)

You should provide useful information, including:

  • The relevant categories of personal information Pyrotek collects
  • Examples of the types of personal information in that category
  • The purposes for which the personal information is collected

You should provide Notice at Collection for employees whenever you collect employees' personal information. Consider including a Notice at Collection with employee handbooks, terms of employment, internal policies, etc.

Privacy Policy for Employees

Until at least 2021, there's no need to provide a Privacy Policy for employees. However, some businesses have already created such a document.

Here's an excerpt from a Privacy Policy for employees produced by Cohn Restaurant Group:

Cohn Restaurant Group Employee Privacy Policy: Intro clause

Most businesses currently providing a Privacy Policy for employees have created a document that effectively serves as a Notice at Collection for employees, i.e. it explains what categories of personal information the business collects for what purposes.

Here's an example from Trendmaker Homes:

Trendmaker Homes Employee Privacy Policy: Personal Information Collected clause

For now, this is acceptable. From 2021 onwards, your Privacy Policy for employees could look very different. For example, unless the CCPA changes, your Privacy Policy for employees will need to provide information about how your employees can exercise their CCPA rights.

Other Notices for Employees

For now, there is no need to provide Notice of the Right to Opt Out or Notice of Financial Incentive to your employees.

There had been concern among businesses that certain practices involving the collection and sharing of employment data would be considered a "sale." For example, sharing employee data with third-party providers for the purpose of providing benefits.

However, the Proposed Regulations released in February 2020 (available here) clarify that the collection and use of employment-related information for providing benefits constitutes a "business purpose" rather than a sale.

Therefore, for most employers, there should be no need to provide Notice of the Right to Opt Out for employees. A Notice of Financial Incentive also does not apply to employment-related activities.

Summary Chart of Required CCPA Notices

The table below explains which notices you must provide to which types of consumers:

Public Employees
Notice at Collection Provide now Provide now
Privacy Policy Provide now Provide after Jan 1st, 2020
Notice of the Right to Opt Out Provide now N/A
Notice of Financial Incentives Provide now N/A