How can a business distribute an employee privacy notice to current employees?
Beginning in 2020, the CCPA required that businesses subject to the Act provide their employees with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.1 Beginning on January 1, 2021, employers are required to include twelve additional topics in employee privacy notices.
While the CCPA does not dictate the manner in which a privacy notice is distributed to employees, many employers consider using one, or more, of the following distribution techniques:
- Computer log-in notice. Some employers add a link to the employee privacy notice on the log-in screen of all workstations.
- Email. Some employers email a copy (e.g., PDF) or a link (e.g., internal SharePoint) of the employee privacy notice to all employees at least once a year.
- Employee handbook. Some employers include a copy of the employee privacy notice in the employee handbook.
- Open enrollment. Some employers include a link to the employee privacy notice on the page or portal used by employees to select, or confirm, their benefits elections each year.
- Paper Distribution. Some employers distribute a hard copy of the privacy notice to each employee, or post a copy of the privacy notice in a public space available to employees (e.g., break rooms).
It is important to note that, regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to employees with disabilities.2 As a result, if some employees do not have access to some format as a result of a disability (e.g., visually impaired employees might not utilize computers or email), a business may need to consider alternative methods of communicating. It is also important to note that the Modified Proposed Regulations imply that even if a business elects to distribute a privacy notice in hard copy (e.g., paper distribution) it may still need to post an electronic copy of the privacy notice “online.”3
The distribution technique that is best suited for a particular company may depend on a number of factors, including whether employees have access to computers at work, maintain work email addresses, receive benefits, or have access to an employee handbook.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, Section 1798.100(b); CCPA, Section 1798.130(a)(3)(B) (note that this subsection does not apply to employee data until January 1, 2021). See also Modified Proposed Reg. 999.305(b)(2) (Feb. 10, 2020).
2. Modified Proposed Regulation 999.305(a)(2)(d)
3. Modified Proposed Regulation 999.305(b)(4) (stating that when a business provides a notice of collection offline it should provide a link to where the privacy notice “can be found online.”
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.