The application of the California Consumer Protection Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.
Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”