Skip Repeated Content

Does an employee facing privacy notice need to contain different types of information from a privacy notice provided to other types of consumers?

July 29, 2020

It depends.

The CCPA applies to the personal information of California employees of a business that is subject to the statute.  The specific rights afforded to employees were set to phase-in throughout 2020.

Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” 1  While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures.  These only apply to employee-privacy notices beginning on January 1, 2021.  The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:

Privacy Notice Disclosures Required as of January 1, 2020

In All Privacy Notices (e.g., employee and non-employee)

1.    Identify the enumerated categories of personal information collected.2

2.    Identify the general purpose for which information will be used3

 

Additional Privacy Notice Disclosures Required as of

January 1, 2020 in Non-Employee Privacy Notices and as of

January 1, 2021 in Employee Privacy Notices

 

1.    Explain the ability of a California resident to request access to their personal information.4

2.    Identify the enumerated categories of personal information shared with services providers.5

3.    Identify the enumerated categories of personal information sold to third parties (or affirmatively state that the business does not sell personal information).6

4.    State that a California resident has the ability to opt-out of sale of information (if applicable).7

5.    Provide contact information that can be used to request access, deletion, or opt-out (if applicable).8

6.    Explain the ability of a California resident to request deletion of their personal information.9

7.    Provide general information concerning the sources from which personal information was collected.10

8.    Provide general information concerning the third party recipients of personal information11

9.    Explain in general terms the process used to verify or authenticate a California resident that requests access to, or the deletion of, their information.12

10. Explain that California residents will not be discriminated against if they choose to exercise one of their rights under the CCPA.13

11. Explain how an authorized agent can make a request under the CCPA on behalf of a California resident.14

12. Provide contact information for how questions or concerns regarding privacy practices can be raised with the business.15

The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents.  In essence, it can be thought of as a “short form” privacy notice.  After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.

For more information and resources about the CCPA visit http://www.CCPA-info.com.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.100(b); CCPA, Section 1798.130(a)(3)(B) (note that this subsection does not apply to employee data until January 1, 2021).  See also Modified Proposed Reg. 999.305(b)(2) (Feb. 10, 2020).

2. CCPA, Section 1798.100(b).

3. CCPA, Section 1798.100(b).

4. CCPA, Section 1798.130(a)(5)(A).  See also Modified Proposed Reg. 999.308(c)(1)(a) (Feb. 10, 2020).

5. CCPA, Section 1798.115(c)(2), 1798.130(A)(5)(C)(ii), 1798.140(d). See also Modified Proposed Reg. 999.308(c)(1)(e)(1) (Feb. 10, 2020).

6. CCPA, Section 1798.115(a)(2), (c)(1); 1798.130(A)(5)(C).  See also Modified Proposed Reg. 999.308(c)(1)(e)(2), (c)(3)(b) (Feb. 10, 2020).

7. CCPA 1798.120(b); CCPA 1798.135(a)(1), (2); CCPA 1798.130(a)(5).  See also Modified Proposed Reg. 999.308(c)(3)(a) (Feb. 10, 2020).

8. CCPA, Section 1798.130(a)(1).  See also Modified Proposed Reg. 999.308(c)(1)(b), (c)(2)(b) (Feb. 10, 2020).

9. CCPA, Section 1798.105(b).  See also Modified Proposed Reg. 999.308(c)(2)(a) (Feb. 10, 2020).

10. CCPA, Section 1798.130(a)(5)(B); CCPA, Section 1798.110(c)(2).  See also Modified Proposed Reg. 999.308(c)(1)(a) (Feb. 10, 2020).

11. CCPA, Section 1798.130(a)(5)(B); CCPA, Section 1798.110(c)(4).

12. Note that this disclosure may only be required if the Modified Proposed Regulations are finalized.  Modified Proposed Reg. 999.308(c)(1)(c), (c)(2)(c) (Feb. 10, 2020).

13. Note that this disclosure may only be required if the Modified Proposed Regulations are finalized.  Modified Proposed Reg. 999.308(c)(4) (Feb. 10, 2020).

14. Note that this disclosure may only be required if the Modified Proposed Regulations are finalized.  Modified Proposed Reg. 999.308(c)(5) (Feb. 10, 2020).

15. Note that this disclosure may only be required if the Modified Proposed Regulations are finalized.  Modified Proposed Reg. 999.308(c)(6) (Feb. 10, 2020).

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.