AB25: How CCPA affects employers and recruiters

The enactment of Assembly Bill 25, or AB25, brings good news for employers who are stressed about the California Consumer Privacy Act (CCPA).

ab25

CCPA will go into effect in January 2020, but with important modifications. These modifications are detailed in five Assembly Bills signed by California’s Governor Gavin Newsom in mid-October 2019. AB25 is one of those five bills, and it’s very relevant to the HR and recruitment functions.

What does AB25 do? AB25 mainly provides employers a one-year exemption from their CCPA obligations (a “moratorium”) with respect to information collected by a business “in the course of a natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.”

So, via AB25, CCPA doesn’t apply to employees and job applicants

In other words, as long as employers are collecting the data of its employees and job applicants solely for purposes relating to employment, the CCPA generally doesn’t apply to the collection of that information.

This is why recruiters can breathe a sigh of relief: employees and job applicants aren’t considered to be “consumers” under CCPA. Therefore, they don’t have the same privacy rights, such as right to deletion and opt-out.

But, you’re not completely off the hook

First, this exemption would remain in effect only until January 1, 2021. It’s a “sunset” provision that will expire on that date.

Also, AB25 upholds some rules under CCPA. These are:

Disclosure requirements

Employers are still obliged to inform people (including employees and job applicants) of the categories of personal information they collect – and the purposes for its use – at or before the point of collection.

This is usually done via a CCPA-compliant privacy policy. Recruiters will need to send it to candidates or feature it in a prominent place in their job ads.

Private right of action for data breach

Natural persons exempted via AB25 still have the right to a private civil action. For example, if your business is hacked and the personal information of job applicants is compromised, then a job applicant has two options under CCPA:

  • File an individual claim. This means that you may be liable to pay damages to that individual person because of the data breach.
  • File a class action suit. This means you may have to pay potential damages to all people affected by the data breach who are included as members in the suit.

Of course, it will be interesting to see whether class actions may end up being rare when it comes to privacy breaches – but it’s not a consequence you want to face anyway. We’ll see how this plays out, since the private right of action is available under CCPA.

The same penalties stand under AB25

AB25 doesn’t modify the penalties and fines inflicted on a business in the case of a CCPA violation. Your company can receive a fine from $2,500 to $7,500 from the competent authority, and you may also be obliged to pay $100 to $750 per consumer per incident if found to be in breach of your obligations in a civil action.

For example, the minimum amount you may be required to pay for violating CCPA after being found liable in a class action of 1,000 job applicants is $1,000 multiplied by 100 = $100,000, plus a minimum of at least $2,500.

Preparation is key

The numbers speak for themselves: to avoid the potential for expensive fines that could break your business, having a CCPA-compliant privacy policy is a priority. You also need to be sure that you use secure and CCPA-compliant vendors to collect or store personal information of consumers.

CCPA security and compliance are both measures that Workable, as a recruiting software provider, is planning to help its customers with. Stay tuned for more!

Also, keep in mind that there’s expectation a privacy law specifically applying to employees will be enacted in the year to come (possibly at the federal level). This means that there might be compliance obligations similar to those in CCPA that cover personal information of employees and job applicants.

See how CCPA differs from GDPR.

So, while AB25 softens the burden of CCPA for recruiters and employers, you aren’t necessarily in the clear. You need to take steps to ensure absolute compliance with CCPA by January 1, 2020 and any future laws as well as implement best practices. But, if you stay informed of changes and proactively implement measures, you should be in a good place going forward.

Disclaimer: Workable is not a law firm. This article is meant to provide general guidelines and should be used as a reference. It’s not a legal document and doesn’t provide legal advice. Neither the author nor Workable will assume any legal liability that may arise from the use of this article. Always consult your attorney on matters of legal compliance.

Let's grow together

Start hiring now with a 15-day free trial. Or talk to us about your hiring plans and
discover how Workable can help you find and hire great people.