The California Consumer Privacy Act (CCPA) just went into effect on January 1, 2020. If your business has operations in California, the new law may require you to provide notices to employees, update privacy policies on websites and amend contracts with vendors who handle employee data—including data relating to your employee benefit plans.
Employers Subject to the CCPA
The new law casts a wide net. It applies to any for-profit business (including entities that control or are controlled by the business and share common branding with the business) that:
The CCPA gives California residents certain rights with respect to their data. These rights will vary, depending on whether a business merely collects and processes information about California residents and households or if it also “sells” the information.
Application of the CCPA to Employment Data
The CCPA defines “personal information” to specifically include employment-related information. However, before the California legislature adjourned for 2019, it passed an amendment to the CCPA that provides a one-year partial exemption for employment data. As amended, the CCPA during 2020 requires that a business must give employees and job applicants in California the Notice of Collection that describes the categories of data that the business collects, the purposes for the collection and the disclosures that it makes of that data. However, the business does not have to respond to individual rights requests until 2021.
Application to Employee Benefits
Employee benefit programs inevitably include personal information, such as names of employees, names of spouses, dependents and other beneficiaries, and possibly information associated with those individuals. For programs subject to ERISA, there is certainly an argument that CCPA is preempted by ERISA—but California has a history of challenging ERISA preemption claims, and until courts work through that issue, it’s an open question. Moreover, if your company provides any benefit programs that are not subject to ERISA (for example, a dependent care FSA, an HSA contribution program or a salary continuation program for those on short-term disability leave), no pre-emption argument is available.
Penalties Under the CCPA
Non-compliance with the CCPA will be costly. The California Attorney General is authorized to enforce the CCPA with penalties of up to $2,500 per violation per employee. Additionally, consumers whose data is the subject of a data breach can sue for between $100 and $750 per incident if the business failed to implement reasonable security procedures. The CCPA expressly voids any arbitration provision or class action limitation on this right.
Steps to Take Now
If your business is subject to CCPA requirements, consider the following steps with respect to your employment data and employee benefit programs:
We’re Here to Help
For assistance with CCPA compliance or questions about the CCPA generally, please contact Norbert Kugele or any member of Warner’s Employee Benefits Practice Group.