The Employee Exception to the California Consumer Privacy Act (CCPA), Employee Rights, Employer Policy and Understanding the Unique Role of the National Labor Relations Act

I. Introduction
When California enacted the CCPA it included a limited one year exception for employee data. There were complex reasons for the exception, of which full integration with employer access and privacy policies and handbooks were most important. As CCPA doctrine had yet to evolve and predictable policy modifications hard to draft, this article will look at these issues through the evolving doctrine of federal labor law, which affects those rights and complicate the adaption to the new CCPA environment. Just as the CCPA is a national model with international roots, the National Labor Relations Act and its defined rights and responsibilities are of similar scope for all entities with national policy planning responsibilities.

II. The CCPA in Brief
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. There is a common misconception that companies need to be selling data in order for the CCPA to apply. But that is not correct. The CCPA regulates all for-profit companies doing business in California that collect consumers’ personal information and meet (just) one of the following three thresholds: has annual gross revenues in excess of twenty-five million dollars ($25,000,000); buys, receives, sells, or shares for commercial purposes the personal information of more than 50,000 consumers, households, or devices; or derive 50 percent or more of annual revenues from selling consumers’ personal information.

Significantly, the twenty-five million dollars ($25,000,000) revenue threshold is independent of any consideration whether the business collects any particular volume of consumer data.

In addition, the CCPA also applies to any entity that either: controls or is controlled by a covered business (for example, a subsidiary) or shares common branding with a covered business, like a shared name, service mark, or trademark.

A consumer is a California resident. The scope of information covered by the CCPA is very expansive, including 11 categories of information and subsets in those categories. Very broadly, the CCPA covers all personal information that identifies, relates to, describes, or capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose consumer information that is de-identified or aggregated. The CCPA covers information that can be considered “unique” to a consumer, which can include identifiers such as an internet protocol (IP) address.

CCPA grants consumers: (i) the right to notice of what categories of personal data is being collected and the purpose for which it will be used; (ii) the right to access – to request information regarding the categories of personal information collected about them; (iii) the right to request deletion of personal information collected about them (with some exceptions); (iv) the right to opt-out of the sale of their data and personal information; and (v) the right to equal treatment/nondiscrimination so as to be free from discrimination if they exercise any of their rights.

Businesses have corresponding obligations to these rights. Some include providing privacy disclosures in advance of collecting any data, complying with any verifiable consumer requests identifying data within a 45-day time span, deleting certain data, and providing information free of charge, unless a request is manifestly unfounded or excessive.

The CCPA sets forth specific disclosures that businesses must include in their notices of collection. For example, under the CCPA, businesses must inform consumers at or before the point of collection what categories of personal information will be collected and the purpose for which these categories and information will be used. If a business was to collect additional categories, or collect personal information for a new purpose, they must also provide new notice of such collection and its purpose. This requires ongoing efforts to identify changes in collection or use of previously collected personal information.

An organization that does not collect information directly from consumers generally does not need to provide such a notice, but before it can sell a consumer’s personal information, it must inform the consumer that it is going to do so or verify with the source of the consumer information that notice was given. The right to know categories of third parties also applies - i.e., third parties must also give consumers explicit notice and an opportunity to opt-out before re-selling personal information that the third party acquired from another organization.

The CCPA also sets forth specific disclosures that businesses must include in their privacy policies, including descriptions of consumer rights and how to exercise them. A corollary to the right to notice is the right to access. Under the CCPA, consumers have the right to request that a business disclosure the categories of personal information collected, the categories of sources from which personal information is collected, the business or commercial purpose of the collection, the categories of third parties with whom the business shares personal information; and the specific pieces of personal information the business holds about a consumer. If a business sells personal information or discloses it for business purposes, consumers have the right to request the categories of information being sold or disclosed to other parties. In most instances, consumers are limited to two requests for data access information under the CCPA per year per organization and for a period of no more than the prior twelve months.

Businesses are also required to: (1) verify the identity of the consumer making the request, (2) not release information to other parties claiming to be a consumer, and (3) ensure that any information transmitted to the consumer is done in a reasonably secure way.

Consumers have the right to request deletion of personal information collected by a business, provided the consumer makes the request to the business that actually collected the information from the consumer. There are some limited exceptions to this right. For example, businesses do not need to delete information if the business needs the consumer’s personal information for a reason related to the business, such as providing goods or services to the consumer, complying with other legal requirements, detecting security incidents, conducting research, exercising free speech, protecting or defending against legal claims, or for internal operations the consumer might reasonably expect.

The parameters, limitations, and application of many of these exceptions are vague and fact specific to your business, including in particular with respect to a consumer’s reasonable expectation. For example, in determining whether a particular exception applies, businesses will have to determine the expectations of their particular consumers, how to handle the fact that personal information may be replicated many times and used for different purposes, and consider who and how the organization will make decisions regarding CCPA requests and whether any exceptions apply. Accordingly, businesses should consult legal counsel for assistance in determining whether a particular exception applies.

Businesses, in complying with the timing requirements noted in the access section above, must also inform the consumer in which manner the information is being deleted in response to the consumer’s request to delete collected personal information.

Consumers also have the right, at any time, to direct businesses that sell personal information about the consumer to third parties to stop the sale of their personal information. If a consumer is a minor, the CCPA conversely provides for a right to opt-in to the sale of data (exercised by the minor if the consumer is between 13 and 16 years of age, or by the minor’s parent or guardian if the consumer is under 13 years old). Businesses must wait at least 12 months before asking consumers to opt back in after a consumer has chosen to opt-out.

The CCPA prohibits businesses from discriminating against consumers by denying goods or services, charging a different price or rate for goods or services, providing a different level or quality of goods or services, or suggesting that they will do any of these things based upon a consumer’s exercise of any CCPA rights. Consumers that exercise their rights under the CCPA must be treated equally and have a right to equal services and prices.

However, the right to equal services and prices does not place any restrictions on an organization’s ability to collect information or deny service if a consumer does not want to participate in collection; it only applies once the consumer exercises specific CCPA rights.

III. The “Employee” Exception
The CCPA contains a limited exclusion for a period of one year for personal information of employees and job applicants collected by an organization. As long as employers are collecting the data of its employees and job applicants for purposes solely relating to their employment, the CCPA generally does not apply to the collection of that information. While the CCPA suspends employee rights related to access, deletion, and opting out of data collection, businesses must still provide privacy disclosures to employees regarding their data collection practices. This includes, for example, disclosure of the information that the employer collects and the purpose for the collection. Employees also still retain the right to commence a private right of action in the event affected by a data breach caused by a failure of the duty to maintain reasonable security safeguards.

IV. The Impact – Actual and Potential - of the National Labor Relations Act
We will focus on growing issues of privacy which emerged in workplace investigations under the National Labor Relations Act and are now reflected in state law.

National Labor Relations Board (NLRB) doctrine began to acquire a heightened role in employer policies in a set of decisions relating to employee handbooks and confidentiality in sexual harassment investigations.

The key concept is that under Section 7 of the National Labor Relations Act “protected concerted activity” issues were viewed as impacted by employer handling of data and decisions that might in other contexts be viewed as involving data privacy, but in the Board’s view were characterized as employee privacy.

In Hyundai America Shipping Agency v. N.L.R.B., No. 11-1351, slip op. (D.D.C. Nov. 6, 2015), the D.C. Circuit supported the Board’s position that the need for union and non-union employers to carefully review both oral and written workplace rules and policies, even if they do not on their face touch on union-organizing activity, constituted protectable information, and also as to access that information.

The Hyundai employee handbook included a rule limiting the use of company electronic communications systems, stating, "employees should only disclose information or messages from theses [sic] systems to authorized persons." The Court upheld the NLRB's determination that the rule is facially invalid, agreeing that a reasonable employee could read it as a restriction on employees' ability to share information about terms and conditions of employment. Moreover, it was not limited to protection of a narrow category of only confidential information.

Next, the Court upheld the Board in finding unlawful a provision sanctioning disciplinary action up to termination for "[p]erforming activities other than Company work during working hours." The Court agreed with the Board's assessment distinguishing between rules restricting union activity during working hours (including breaks), which are presumptively unlawful, and restrictions of activity during active working time, which are permissible. Because this rule fell into the former category, it was invalid.

It is useful to anticipate how this approach might relate to the access; non-discrimination and opt-out provision of the CCPA.

Although the Board has retrenched from that position in Apogee Retail LLC d/b/a Unique Thrift Store, 368 NLRB No. 144 (2019), which reverses a 2015 decision— Banner Estrella Medical Center, 362 NLRB 1108 (2015), enf. denied on other grounds 851 F.3d 35 (D.C. Cir. 2017) by declining to require employers prove, on a case-by-case basis, that the integrity of an investigation would be compromised without confidentiality.

However, if the burden on the employer to determine whether its interests in preserving the integrity of an investigation outweighed employee Section 7 rights, how will that balance tip when and if the CCPA exception expires?

Another aspect of the treatment of potentially protectable information arises in internal communications such as email and whether employees have a statutory right to use employer IT resources unless the employer’s email system furnishes the only reasonable means for employees to communicate with one another. In Caesars Entertainment d/b/a/ Rio All-Suites Hotel and Casino, 368 NLRB No. 143. the Section 7 issue derived from the Board’s earlier decision in Purple Communications, Inc., 361 NLRB 1050 (2014 which envision that section 7 rights included use of such data and the internal modalities for its communication. Previously the Board had held in Register Guard, 351 NLRB 1110 (2007) where the use of employer-provided email is the only reasonable means for employees to communicate with one another on non-working time during the workday.

V. Going Forward
Today’s policies are the seeds of tomorrow’s litigation. Counsel and their clients are wise to stay focusing on the developments in the coming year under the CCPA and its specific ramifications under related regulatory statutes that define employee rights.

Share this post:

Comments on "The Employee Exception to the California Consumer Privacy Act (CCPA), Employee Rights, Employer Policy and Understanding the Unique Role of the National Labor Relations Act "

Comments 0-5 of 0

Please login to comment