Tuesday, July 14, 2020

The Employee Data Dilemma: Should Companies Establish An Employee Privacy Program Now, or Later?

At a time when a global pandemic and economic recession have left many employers in the US cash-strapped, most would probably prefer to defer any investment of time and money in an employee data privacy compliance program.  

Employers with a substantial number of California employees (or contractors) are currently faced with a conundrum: whether to establish an employee data privacy program now, or later.

The California Consumer Privacy Act, as originally written, applied to  personal information about "consumers," but the term "consumer" was so broadly defined that some people speculated that it covered employees and contractors as well as individual customers.  Later in 2019, AB 25 was proposed by Assemblymember Chau to clarify that the intent was not to cover employees, but after objections were raised (and backed by powerful labor unions, I'm told), AB 25 was amended to create a temporary,  partial exclusion from the CCPA until January 1, 2021.  That is the version of AB 25 that passed.  The idea, as I understand it, was that the California legislature would come up with some other way of addressing employee privacy before the end of 2020.  (I wrote about that briefly here.)

We are now halfway through 2020, and the legislature has not yet delivered a solution.  Companies are starting to grow concerned.  Under current law, companies have six months to create an employee data privacy program.  

The California Privacy Rights Act, better known as "CCPA 2.0," is a ballot initiative promoted by the same people behind the CCPA, and it has officially qualified to be on the November ballot in California.  Polling suggests it is highly likely to be approved by voters.  There is one aspect of CPRA that would help companies: It would extend the partial exemption of employee and contractor data for two additional years.

The problem for companies is that we will not know if CPRA has passed until November 3. If it does not pass, it will be too late to do the work required by January 1 (less than two months later). 

Companies must decide whether (a) to take the gamble that CPRA will pass, and defer the work, or (b) to do the work now, even though it likely will not be necessary to comply until January 1, 2023.

(There is a third possibility: Assemblymember Chau has introduced AB 1281, which would push the deadline out by one year to January 1, 2022.  Unfortunately, that bill has not made meaningful progress in the legislature, and currently lingers in committee.  Perhaps, if the CPRA somehow fails, AB 1281 could be enacted rapidly during November or December.)

Based on my informal survey of privacy professionals, it seems many companies are not preparing employee privacy programs, and are simply assuming that CPRA will pass.  (I have not yet seen any actually polling of privacy pros on this question.)  There is certainly a degree of risk in this approach.  Companies with the resources would be best served by preparing now, rather than later.  Companies struggling to survive, however, have a difficult decision to make.