AB-25: What this CCPA Amendment Means for Employers and Employees


By Blog, CCPA, Data Privacy

On September 13, 2019, California’s legislature ratified Assembly Bill 25 (AB-25), which is expected to scale down the scope of application of the California Consumer Privacy Act (CCPA) to employers.

CCPA is scheduled to go into effect on January 1, 2020, but with crucial changes. The amendments are detailed in five Assembly Bills approved by Governor Gavin Newsom in September 2019.

AB-25 is one of the five amendments and it applies to human resource and recruitment functions.

What does AB-25 do?

From a general perspective, the CCPA protects all the ‘personal information’ belonging to ‘consumers.’ In the context of this regulation, the term ‘consumers’ refers to California residents while ‘personal information’ denotes any individually identifiable data about these users.

Nonetheless, AB-25 exempts specific kinds of personal information connected to residents of California from CCPA oversight. The categories are:

  • Human resources information
  • Emergency contacts
  • Third-party benefits data

a) Human Resources Information

This category comprises personal data of California residents in their position as job applicants, employees, persons who are autonomous contractors, corporate officials and executives. 

Additionally,  persons with a majority proprietorship interest in a business, as well as physicians, surgeons, and dentists who are workforce members are included in this category.

b) Emergency Contacts

Under this classification, AB-25 exempts the data of California residents described as an employee’s emergency contact from the applicability scope of the CCPA.

c) Third-party Benefits Information

This category covers the personal data utilized in determining benefits for California residents that are designated to get benefits from the employer based on their employee-employer engagement such as next of kin or dependants.

What Aspects of the CCPA does AB-25 Uphold?

While AB-25 exempts the aforementioned categories of personal information from the scope of the CCPA, it still upholds certain rules outlined by this data privacy regulation that applies to employers. They include:

  • The risk of a data safety breach
  • Disclosure requirements

i)The Risk of a Data Safety Breach

The CCPA creates a procedure, which permits residents of California to be compensated between $100 and $750 in regulatory damages for specific data security breaches. The applicability of the procedure is dependent on two crucial factors.

Firstly, it must entail the unauthorized access and exfiltration, theft or disclosure of sensitive personal information that would initiate data breach notification requirements under California’s notification regulation. In case this kind of breach occurs, California’s breach notification law requires the affected persons to be made aware of the breach, and if, the breach affects over 500 individuals, California’s Attorney General should be informed of the occurrence.

Secondly, the breach must be an outcome of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

However, before filing an individual class action claim, the affected party or parties should serve the business in question with a 30-day written notice and a chance to rectify any purported failures in safeguarding consumer data. 

In case the company rectifies the problem and provides the consumer with an express written statement that the violations have been addressed and that no further violations shall occur, the concerned party will no longer be eligible to receive statutory compensation on either individual or class action claims.

Furthermore, AB-25 does not amend the fines imposed on a company from a regulatory perspective when a violation occurs. Primarily, employers are still subject to a fine of between $2,500 and $7,500 from a competent authority in case of a breach under the CCPA.

What this means is that employers have an increased risk when it comes to handling the personal information of their employees. 

ii) Disclosures

Regardless of AB-25 exemptions, employers are still obligated to notify consumers including members of their workforce as well as job seekers about the categories of personal information they collect and the purposes of its utilization at or before the point of collection.

This notification should be served via a CCPA-compliant privacy policy.

Is the Implementation of AB-25 Permanent?

This amendment will remain in effect for 12 months from the enforcement date of the CCPA, which is on January 1, 2020. Therefore, AB-25 automatically terminates on January 1, 2021.

The 12-month window is aimed at giving lawmakers ample time to come up with narrowly customized answers to the issues raised in connection with the enforcement of the CCPA in the context of employee data.

How Should Employers Deal with AB-25?

Readiness is vital. To avoid the risk of costly penalties that could cripple your business, you need to;

  • Review your information and security policies and processes to reduce the exposure to security breaches involving sensitive personal information
  • Identify the relevant points of collection of personal information and deliver the appropriate notice
  • Collect the prerequisite insights to come up with the necessary notices
  • Enforce internal policies that cultivate a culture of compliance to evolving statutory data-handling practices
  • Continuously monitor developments connected to the enforcement of the CCPA

 Although the CCPA eases the burden of CCPA for recruiters and employers, it does not mean you are off the hook. You need to adopt measures to guarantee absolute compliance with the CCPA. 

Book a call with us today for a personalized demo of our CCPA solution customized to your unique business needs. 

Additional Resources:

Get all your questions or concerns answered with our detailed CCPA summary 

Get your free CCPA e-book delivered instantly into your inbox