Since January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) has officially been in effect. In short, the CCPA imposes new privacy obligations on businesses that collect personal information of California consumers. But it doesn’t just stop at consumers. With the recent Attorney General-issued revisions, the CCPA applies to the employment relationship as well, including information related to employee benefit plans.
Here is a breakdown of how the CCPA affects the employment relationship.
CCPA and Employees
Under the CCPA, the definition of “consumer” is very broad, providing that any natural person who is a California resident is a “consumer”. Therefore, this broad definition extends to cover employees who are resident in California, no matter the fact that their relationship with the business is as an employee, and not a consumer.
Since the definition of “consumer” is very broad, so is the definition of “personal information.” However, the recent revisions by the Attorney General brought some clarity about what “personal information” constitutes: employment-related information is considered “personal information” under the CCPA. There is no exemption for employment-related personal information stored and maintained by an employer.
As such, similar to consumer information, the CCPA requires employees and applicants to be notified that their personal information is being collected.
Other noteworthy revisions from the Attorney General include:
- An employer is not required to provide a link to an online privacy policy to employees and applicants as a method of notice; they can be notified through a paper form or via email.
- An employer is allowed to provide a link to an online privacy policy tailored to employee and applicant data, rather than the general online privacy policy which deals with consumers as a whole.
Employment-related Information Under CCPA
The following common types of “employment-related” data are considered “personal information” (and protected) for purposes of the CCPA:
- New hire/on-boarding paperwork, including resumes, employee applications (including Social Security Number, drivers’ license, mailing address), background checks, IRS Forms W-4 (withholding), etc.
- Payroll information, including employee bank account numbers for direct deposit.
- Credit card information provided in connection with expense reports.
- Random drug testing paperwork and results.
- Documentation of various types of leave, such as sick leave, vacation, paid time off, etc.
- Employee benefit plans (to the extent not exempt from the CCPA).
- Employee’s online activity on a work computer/system, such as browsing history and search history.
Data from Employee Benefit Plans
Data from employee benefits plans are covered—and protected—under the CCPA. Employee benefit plans collect and use personal information since plans require various types of personal information, such as name, address, Social Security Number, and insurance policy information.
However, certain benefit plans may have varying compliance obligations to the CCPA, especially if they are HIPAA-covered or ERISA-covered.
compliance obligations of certain benefit plans may be: (1) limited by the CCPA’s HIPAA exemption; and (2) potentially preempted by ERISA.
HIPAA Exemption
The CCPA does not apply to “protected health information” (PHI) of a group health plan that is subject to HIPAA or to other personal information protected in the same fashion as PHI. Employer-sponsored HIPAA-covered benefit plans typically include a major medical plan, dental, vision, health flexible spending account, and certain wellness or employee assistance programs. One thing to note is that some information collected by a benefit plan may be personal information under the CCPA, but not PHI under HIPAA, and there may be compliance obligations concerning that information.
ERISA Preemption
The CCPA does not specifically address how it applies to benefit plans not covered by HIPAA. For plans that are subject to the Employee Retirement Income Security Act of 1974 (“ERISA”), there is a possibility that the CCPA could be preempted, or prevented, by ERISA. As such, ERISA-covered benefit plans that are not HIPAA-covered (such as 401(k) plans, long term disability, and AD&D) may be able to successfully argue that personal information collected and used is not subject to the requirements of the CCPA.
The Bottom Line
When dealing with the CCPA regarding employment, an employer should apply the same steps they apply to “personal information” from customers and other consumers to employee data and employee benefit plan data (that may be subject to the CCPA).
Reach out to CorpStrat to learn how we design and manage (compliant) employee benefits at competitive rates so your company can attract, reward, and retain your employees.