California Consumer Privacy Act and Its Impact on California Employers
The CCPA could have major implications for employers, the workers’ comp industry, lawyers, medical record retrieval companies serving lawyers, & insurers.
Medical Record Review 8596 E. 101st Street, Suite H Tulsa, OK 74133
Close on the foot of the General Data Protection Regulation (GDPR) of the European Union that became effective on May 25, 2018, California has become the first U.S. state to introduce its own suite of consumer privacy rules – the California Consumer Privacy Act (CCPA). This Act was signed into law on June 28, 2018 by Gov. Jerry Brown and contains many provisions aimed at strengthening consumers’ privacy rights. The CCPA becomes effective on January 1, 2020 and is expected to be the most expansive privacy law currently in the United States, in some ways. What impact will the new law have on the rights of employees and programs such as workers’ compensation in an organization? As a welfare program for the employees, workers’ compensation pays benefits to workers injured at the workplace. The benefits are granted based on a comprehensive Medical Records Analysis and evaluation of the circumstances under which the injury occurred. The CCPA will affect employers across the United States as well as on a global level and encourage legislation similar to it in other states. For instance, a group of senators in Washington state introduced the Washington Privacy Act SB 5376 (WPA), which would establish requirements similar to that of GDPR on businesses that collect personal information related to residents of Washington. Apart from requirements for notice, and consumer rights including access, rectification, and deletion, the WPA would put restrictions on the use of automatic profiling and facial recognition. Since the CCPA’s implementation date is approaching fast and taking into account the fact that certain provisions may reach back prior to the effective date, businesses must start preparing as soon as possible. So, here are some facts to know about the CCPA, how it applies to employee personal information and how business owners can stay compliant. Businesses the CCPA applies to: Any business entity in the State of California that satisfies one or more of the following conditions is bound by the new law:
Annual gross revenue in excess of $25 million
Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
www.mosmedicalrecordreview.com
918-221-7791
The Act would apply to any business that controls or is controlled by another business that meets the above criteria and shares common branding with the former. This could have wide-reaching implications for franchised businesses and subsidiaries. The law aims to reach businesses that handle significant amounts of data and smaller companies may also be included in this. Also, businesses with small operations in California and meet one of the above requirements will have significant privacy obligations concerned with those operations. Employee rights under the CCPA: The CCPA’s definition of consumer (a resident of California) may extend to personal information of California residents maintained by employers and may include job applicants, temporary workers, full- or part- time workers, volunteers, interns, independent contractors and even their dependents or beneficiaries. Under this Act, employees are consumers and have the same rights as any California consumer such as the following.
Notice, disclosure and non-waiver: Employers must inform employees about the categories of personal information collected and the purpose of the collection at or before collecting the information. No additional categories of information can be collected without prior notice. When employees’ personal information is sold or disclosed to third parties for “business purposes” that include disclosures to benefit providers, payroll vendors and others, employees must be notified of the same. In their agreements with service providers, employers must strictly prohibit any unauthorized use or sale of employee information other than specified processing purposes. Employers cannot ask their employees to contractually waive any rights ensured by the CCPA. There are specific requirements as regards how employees must be notified of and may exercise their CCPA rights such as toll-free numbers to submit requests and clear and conspicuous links titled “Do Not Sell My Personal Information.”
Access to data: Employees can request that employers disclose the categories of personal information collected about them and the specific personal information collected. Once the request is verified, employers must provide the information within 45 days and free of charge, with a limit of no more than 2 requests in a 12month period.
www.mosmedicalrecordreview.com
918-221-7791
Deletion of personal data: Employees can also request that their personal information be deleted. However, employers can retain any information necessary for performance of the employment contract; or if the information is required only for internal purposes related to security, First Amendment rights and other uses described in Cal. Civ. Code § 1798.105(d) et seq.
Opt-out option: Employees have the right to opt out of the sale of their personal information, wherein “sale” comes under the CCPA’s broad definition. Covered employers must be cautious regarding this broad definition when signing corporate deals or when engaging third-party service providers that could involve the transfer of sensitive personal data.
No discrimination: Employers cannot discriminate or retaliate against employees who exercise their rights under the CCPA.
CCPA may not apply to all data collected for administration of employee benefits: The CCPA provides certain exemptions that may exclude certain benefit plan data – i.e. plans subject to the HIPAA privacy and security regulations and include medical plans, dental plans, and health flexible spending arrangements. Medical information that an employer receives in connection with a Family and Medical Leave Act certification, Americans with Disabilities Act reasonable accommodation, workers’ compensation claims and employer’s group health plan. There are many other kinds of employee benefits such as life and disability insurance plans, pension and 401(k) plans, tuition assistance programs, employee discount programs, wellness programs, transportation fringe benefit programs and others. Some of these programs may involve plans that may be subject to ERISA (Employee Retirement Income Security Act of 1974), which preempts certain state laws to the extent such laws relate to ERISA-covered employee benefit plans. CCPA and such laws could complicate the national administration of such plans. Employers could face sanctions if they fail to comply with CCPA: Employees in California may institute a civil action under CCPA if certain types of non-encrypted or non-redacted personal data is subject to unauthorized access, theft, exfiltration, or disclosure as a result of the employer’s violation of a duty to implement and maintain
www.mosmedicalrecordreview.com
918-221-7791
reasonable security measures and practices appropriate to protect the personal information.
The employee is not required to show any actual injury or harm to maintain a civil action.
Actionable personal information is limited to social security numbers, driver’s license numbers, and medical and financial information. It is not extended to the broader categories of information mentioned in the CCPA’s “personal information” definition.
The employee must provide the business 30 days’ written notice of the alleged violation to allow the business to rectify the defect. If the defect is set right and the business does so within the 30-day window, no damages for individual or class-wide actions may be initiated.
If the employee initiates an action for actual pecuniary damages resulting from the breach or unauthorized access of their personal data, the above notice is not required.
The employee must notify the California Attorney General’s office within 30 days of filing any action. This is to give the office an opportunity to prosecute rather than allowing the civil action to proceed.
What happens to collected employee data if the business is acquired: If there is a merger, acquisition or bankruptcy and a third party assumes control of all or part of the business, then the employees’ personal information may be part of business assets transferred to the third party. Though this type of transfer is not considered a sale of personal information under the CCPA, if the third party materially alters how it uses or discloses the employee’s personal information and that use or disclosure is materially inconsistent with the notice provided to the employee at the time of collection, the third party must provide the employee with prior notice of the changed practices. What happens to employee data if the employee is no longer a resident of California: If an employee moves or is transferred to somewhere outside of California, he/she may not be protected by the CCPA. However, the employee’s personal information may be protected by other laws and the organization may still have the same or even increased obligation to protect the worker’s data.
www.mosmedicalrecordreview.com
918-221-7791
CCPA’s interaction with federal, state, or local laws: The CCPA specifies that its obligations are a matter of state-wide concern in California and supersede and pre-empt all rules and regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the collection and sale of a consumer’s personal information by a business. The Act also makes it clear that its obligations shall not restrict a business’s ability to comply with federal, state, local laws or regulations. Though the CCPA is drafted to supplement federal and state law, it shall not apply if it is pre-empted by or is in conflict with federal law, the United States Constitution, or the California Constitution. What Steps Can Businesses Take? Now is the time for organizations in California to closely monitor developments with regard to the Act and start considering whether employees’ personal information is impacted. Also, they have to determine:
Whether the company is covered and if so, whether it will separately address California employees
When and how to update employee data to address the information requirements
How to structure a process for data access requests from employees
Whether additional contractual language is required with any third parties, including vendors, receiving employee personal information to exert better control on how those third parties utilize the sensitive employee data they receive
What system modifications and awareness training will be needed to implement the above-mentioned things
California Legislature may consider legislation in 2019 before the implementation date to address any meaningful and technical issues identified in the Act. The workers’ compensation industry, workers’ comp lawyers, social security lawyers, medical record retrieval companies handling medical data for these lawyers, insurance companies and other stakeholders need to watch out for developments related to the CCPA. In fact, many insurers, employers and defense firms are concerned as to how this law could expose them to liability for data breaches and problems with information security. An important consideration now is whether your company
www.mosmedicalrecordreview.com
918-221-7791
meets CCPA mandates when collecting, using, sharing or processing personal information about individuals located in California.
www.mosmedicalrecordreview.com
918-221-7791