Earlier this year, California Attorney General Xavier Becerra denied the request of business leaders from more than sixty companies seeking to delay enforcement of the new California Consumer Privacy Act (CCPA), which took effect January, 1, 2020.
The primary issue cited in the letter? COVID-19. Postponing enforcement, now set to begin July 1, would provide companies with a six-month window in which to adjust to the remote working conditions brought on by the pandemic and to deal with the confusion and compliance concern, resulting from the several rounds of revisions and amendments that the law has gone through since its passage in June 2018.
Becerra sided with consumer advocates, who had argued that COVID-19 actually made prompt enforcement even more crucial. More people were at home, relying on online services for a wider range of activities and services, and companies themselves were more vulnerable to cyber threats and attacks.
In this piece, I outline the key provisions of the CCPA, and discuss one key, yet controversial, amendment to the law, known as AB25, or the employee exemption rule. Others have written about the law and its implications, particularly for businesses and consumers, yet I discuss the CCPA as part of a larger conversation about individuals’ rights to their personal data as workers. For now, the law only protects individuals as consumers. Due to the employee exemption, workers must wait until January 1, 2021, or perhaps longer, to have the same rights and protections under the law.
Individuals should be able to reap the benefits of technology and be protected from the risks and harms that technology poses whether they are at home or at work. Therefore, we should work hard to ensure that consumers and workers have the same rights because data privacy is not just a consumer issue—it’s also a labor rights issue.
What Is the CPPA and What Does It Do?
While data privacy can be thought of in different ways, from addressing false or misleading statements in online privacy policies, to requiring companies to clearly disclose their privacy policies, the CCPA is arguably the most robust data privacy law to date in the United States. Undoubtedly the law has further stoked a fire under federal lawmakers, and some states have followed with their own versions. In 2019, twenty-seven states—more than half of the nation—considered legislation dealing with consumer data privacy; only six of those states enacted bills, facing fierce opposition from tech companies.
In short, the CCPA gives residents of California the ability to be informed about, and to request the data that businesses collect on them; to demand that the data be deleted; and to opt out of having that data sold to third parties, among other policies.
Here is a breakdown of several key provisions of the law.
Businesses have to disclose to consumers details about personal information collection practices and use.
When we sign up for apps, companies often ask for contact and other personal information. They also often track the pages we visit and the links we click, and aggregate this data to create a portrait of our likes and dislikes, and other personal characteristics like our spending, exercise habits, and even information about our friends and families. This data is often shared with or sold to a third party, who may in turn use them for their own research or other commercial purposes.
Now, with the CCPA, businesses are required to disclose what personal information is being collected about individuals, their right to have the information deleted, how the information is being used, whether it is being sold, and to whom. Businesses have to be able to “reasonably verify” that the person making the request is someone whose information has been collected, or is someone authorized to act on the person’s behalf.
Individuals also have the choice to opt out of having their personal information sold to an outside party. Businesses, in turn, cannot discriminate against them for exercising this right by charging a higher price or offering a different, lower-quality good or level of service, if an individual decides not to provide her personal information.
Consumers may request that businesses send them the personal information that they collect.
Businesses are required to provide this information, free of charge, in a reasonable manner of delivery (i.e. by mail or electronically).
The CCPA covers for-profit businesses that (a) do business in California, (b) collect the personal information of consumers, and (c) satisfy any of the following three criteria
- Have annual gross revenues over $25 million; or
- Annually receive, sell, or share personal information about more than 50,000 or more California residents or households or 50,000 devices; or
- Derive 50 percent or more of their annual revenue from selling the personal information of consumers.
To Be or Not to Be (a Consumer)? The CCPA’s Employee Exemption Rule (AB25)
Given that the CCPA is intended to protect California “consumers” and their personal information, there are two critical questions at the heart of the law, at least from an employment perspective: 1) Who is a “consumer”? and 2) Is employment-related data considered to be “personal information”? What about if an employee works for, or applies for a job at Facebook? What if the information pertains to her role as an employee, not as a Facebook user?
The answer depends on how “personal information” and “consumer” are defined under the law.
Is employment-related data considered to be personal information?
Whereas some states, like Texas, do make distinctions in their privacy laws between what is considered employment-related versus personal information, the CCPA considers them to be one and the same. The following are examples of “personal information” under the law: name, address, email address, insurance policy number, education, employment, employment history, bank account number, credit card number, or any other financial information.
Who is a consumer that can make a request under the CCPA?
This is more complicated—and yet, it’s critical from the worker’s perspective. Under the CCPA, a “consumer” is any “natural person,” meaning anyone who is a California resident (as defined in Section 17014 of Title 18 of the California Code of Regulations).
This would appear to be fairly broad, and would seem to include any individuals who work for the company in question. However, following the law’s passage in June 2018, a series of amendments were made to the law. One of these amendments, known as the employee exemption, or Assembly Bill 25 (AB25), provided a temporary (one-year) reprieve for businesses. During this period, they do not have to comply with the CCPA if they collected personal information from an individual who was acting in an employment-related capacity, such as in the case of a job applicant, employee, contractor, or other business agent (owner, director, officer). Another amendment, AB1355, was passed as well, which also provided a one-year reprieve for businesseses, which exempts personal information, stemming from business-to-business (B2B) communications or transactions that are collected on individuals in an employment-related capacity. Essentially, this means businesses can still sell personal information to other businesses, if it is employment-related.
Notwithstanding these exemptions, there are, however, two circumstances under which employers were now subject to the CCPA, as of January 1, 2020: (1) they are still required to take reasonable security measures to safeguard data to avoid a security breaches; and (2) they are still obligated to provide notice of data collection and use practices.
Now, as the law stands, on January 1, 2021, the CCPA will fully apply to consumers in their capacities as employees as well. This will mean that businesses will need to make sure their consumer request procedures include measures for determining which employee information is subject to certain provisions of the law.
That said, it’s possible that there could be a future amendment that extends the employee exemption or even makes it permanent. With this possibility in mind that the employee exemption could be here to stay, now is the time for thinking about data privacy-related policy broadly.
The Employee Exemption and Worker Status
AB25 came about because of intense battles between businesses impacted by the law and data privacy advocacy groups. On one side, companies, including some of tech’s top players, their lobbying groups, and trade associations, pushed for AB25 and other amendments, arguing that the law, as it stood, would create an undue burden for businesses, increasing financial, legal, and other costs, without giving “meaningful privacy protections” to consumers. On the other side, privacy groups argued that AB25’s language gave too much leeway to companies, allowing for invasive data collection and surveillance on workers. In a letter to Assemblymember Ed Chau (District 49), a sponsor of AB25, privacy groups cited examples such as employers requiring workers to wear individual surveillance tech, like employee badges with microphones, arguing that, “Absent a safeguard of privacy for workers in the workplace, the bill opens the door to highly intrusive data collection by companies of their employees.”
So, at the same time that groups were fighting over whether workers should have the same data privacy rights as consumers, another fight was underway. This one was over a law that determines who is an employee versus who is an independent contractor. Assembly Bill 5 (AB5), the “worker status” law, codifies an earlier California Supreme Court ruling, which imposes a legal standard for determining when workers should be classified as employees or as the less-protected status of independent contractors. The latter designation denies the worker the benefits and protections of being payroll employees. Under this law, to be classified as an independent contractor, workers must: (a) be free from control and direction by the hiring company; b) perform work outside the usual course of business of the hiring entity; and (c) be independently established in that trade, occupation, or business. Governor Gavin Newsom approved both AB25 and AB5 on the same day, October 11, 2019.
What is the connection between these two fights? Data.
By limiting workers’ access to personal information or data, AB25 also limits their access to information that can be important for knowing and understanding the rules and decisions that create their working conditions. Not only does this further reinforce the existing data and informational advantages that businesses have over workers, in the first place—advantages that come with collecting, storing, and maintaining tremendous amounts of personal data—but also it deprives workers of information that can be necessary for questioning, or challenging, working conditions that are inadequate or unsafe. Ultimately, this lack of data access and information harms workers because it undermines their power to bargain or negotiate to improve their working conditions or pay, or to address other work issues that may be important to them.
This lack of data access and information harms workers because it undermines their power to bargain or negotiate to improve their working conditions or pay, or to address other work issues that may be important to them.
As businesses increasingly use the data collected on their workers to power algorithms that create and shape work rules and management decisions, like hiring, wage-setting, and performance and review ratings, this becomes an ever more important issue (having greater potential impact and implications) when we consider the millions of workers affected.
For example, here in the United States and abroad, drivers have been involved in ongoing disputes with ride-hail companies like Uber and Lyft over data privacy issues, demanding that the companies disclose and share data that is being collected on them (e.g. app log on/off times, location and pay information, passenger ratings and reviews, etc.). For these drivers, having access to this data would level an already drastically uneven playing field because companies collect and control data on virtually everything they do. Thus, if shared more broadly, data is a powerful policymaking tool to inform and shape laws concerning labor, transportation, and other public policies, as we saw in New York City, home of the first national case where making ride data available led to a ride-hail minimum wage.
Data Policies That Recognize All Aspects of Life
Let’s pay close attention to what happens with the CCPA, especially as activists who helped push the CCPA forward have recently collected more than 900,000 signatures for a new ballot initiative that would replace the CCPA with the (tougher) California Privacy Rights Act of 2020. State residents could vote on it this November. California is home to many of the country and the world’s most powerful companies, and it is sure to set a tone for how we handle and think about personal data collection and use in the United States.
Given what is happening with workers’ battles over data around the world, it is evident that debates over how our personal data is handled, and who should have rights to control this data, are also labor rights debates. In most places across the country, adequate data privacy laws are lacking, and the only means for individuals to gain access to their personal data is by relying on unilateral business action, or cities and data privacy advocates pressuring businesses to act. And while these latter forms of collective action are important, labor unions and worker organizations must also take up the torch on the issue of data privacy, and must be supported by law in their efforts.
Policies that protect us as consumers but fall short in protecting us as workers fail to recognize us to the full extent of our lives.
So when we think about the issue of data privacy, let’s also always consider the need for technology policies that address the risks that workers face. Policies that protect us as consumers but fall short in protecting us as workers fail to recognize us to the full extent of our lives. When we as workers are making claims on our right to have access and control over our personal data, we are also making a claim on our livelihoods—our ability to have an adequate and secure income, to have benefits and paid leave, and have a better quality of life. This is inextricably linked to our ability to consume. Policies that protect us as consumers should protect us as workers, too.