Could More Employer Data Privacy Obligations Be in California’s Future? FP’s Recap of California Agency’s Recent Board Meeting
Insights
5.14.24
State officials who oversee California’s data privacy law recently convened a public meeting to discuss various privacy-related matters – and may have signaled that an explanation of employer obligations under the law could be in the near future. The California Privacy Protection Agency’s (CPPA) May 10 meeting also touched on the federal American Privacy Rights Act, a proposed state law that would change the game when it came to collecting data on minors, and other future agenda items. Here is our recap of what employers need to know about this meeting.
Agency Opposes Federal Proposal
The open portion of the meeting began with coverage of various legislative updates across the country, as well as the CPPA’s position pending legislation. During this portion of the meeting, the Board disapproved of the recent sweeping federal proposal to pass the nation’s first data privacy law – the American Privacy Rights Act (APRA).
The CPPA Board noted it disapproved of the APRA because it would preempt several provisions of the California Consumer Privacy Act and California Privacy Rights Act (collectively, CCPA). It would also limit the California Legislature’s and CPPA’s ability to protect the privacy rights of Californians. Essentially, the CPPA Board believes any federal privacy legislation should provide the floor for American privacy rights, rather than a ceiling.
Agency Discusses Data Collection of Minors
The CPPA Board also discussed a piece of pending state legislation that would revise the way businesses treat the collection, use, and selling of data of minors. The law currently prohibits businesses from selling or sharing for targeted advertising purposes the data of minors under 16 where the business has “actual knowledge” that the consumer is under 16 and has not obtained the opt-in consent (from the consumer if between 13 and 16 years old, and from their parent or guardian if under 13 years old). Under AB 1949, the CCPA would be amended to remove the “actual knowledge” standard in determining whether a business must treat a consumer as a child.
The CPPA Board was concerned that removing the actual knowledge standard may force businesses to collect more information about consumers to determine their age for compliance purposes. They discussed a potential amendment to make “constructive knowledge” the standard, where a business knew or should have known the age of the consumer. The CPPA Board also expressed concerns that expanding the law to encompass consumers less than 18 years of age may be impractical, given the differences between a 14-year old and a 17-year old consumer’s capacity.
AB 1949 would also prohibit a business from collecting, using, disclosing, selling, or sharing the personal information of a consumer under 18 years of age in the absence of affirmative authorization. It would also establish technical specifications for an opt-out preference signal that indicates whether the consumer is a child, and establish age verification regulations.
Lastly, the CPPA Board decided that it would seek to either remove the requirement that it adopt age-verification regulations by July 1, 2025 or push the deadline to July 1, 2026.
The CPPA Board Discusses a Future Focus On Employee Data
During the meeting, the CPPA Board briefly discussed upcoming rulemaking topics. It ultimately tabled any detailed discussion until the next board meeting.
Importantly, however, when asked to identify any topics that should have greater priority down the line, CPPA Board Member Alastair Mactaggart specifically commented on the importance of focusing on regulations regarding employee data and business to business data. Specifically, Mr. Mactaggart noted that the CCPA is weak on employee-related data. He said it may be necessary to adjust the scope of employee data compared to general consumer data.
This brief comment could have far-reaching implications if the Agency follows through to craft new regulations or guidance on employer obligations related to employee data.
Conclusion
Fisher Phillips will continue to monitor CCPA obligations and enforcement efforts and provide updates as warranted, so make sure that you are subscribed to Fisher Phillips’ Insights to get the most up-to-date information directly to your inbox. For further information, contact your Fisher Phillips attorney, the authors of this Insight, or an attorney on the firm’s Consumer Privacy Team. You can also visit our firm’s CCPA Resource Center at any time.
Related People
-
- Usama Kahf, CIPP/US
- Partner
-
- David Shannon, CIPP/US
- Associate