CCPA Compliance Concerns for Employers as California Employees Return to the Workplace


As California reopens from the COVID-19 pandemic and workers begin returning to work in-person, many employers have begun requesting their employees provide, sometimes on an ongoing basis, certain health information before returning to the workplace. This includes information such as temperature checks, health surveys, COVID-19 test results, or proof of vaccination status. Given the likelihood that collecting this information will trigger certain requirements under the California Consumer Privacy Act (CCPA), employers should take certain measures to ensure they remain in compliance with the CCPA as their workplaces reopen.

The CCPA, California’s robust data privacy law that went into effect on January 1, 2020, applies to any employer that is a for-profit legal entity that does business in the State of California, collects the personal information of consumers (California residents), determines the purposes and means of the processing of consumers’ personal information, and meets one of the following thresholds:

  • Has a gross annual revenue of over $25 million;
  • Alone or in combination, annually buys, sells, receives or shares the personal information of 50,000 or more consumers, households or devices (which averages to approximately 137 pieces of personal information per day); or
  • Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

The CCPA defines personal information quite broadly and includes health-related information such as an individual’s COVID-19 vaccination status. While this category of personal information is required to be disclosed under the CCPA, most of the provisions of the CCPA do not apply to information that is collected by a business from or about its employees (current, former and prospective) within the context of the employment relationship. This exemption has been extended until January 1, 2023, due to passage of the California Privacy Rights Act (CPRA).

While the employee exemption strips employees of the rights to request CCPA disclosures or deletion and to tell their employers not to sell their information, CCPA-covered employers are required to provide their employees a notice listing the categories of personal information the employer collects and how that information will be used. Employers are required to update the notice annually and before new types of information are collected or new uses for information are instituted. Therefore, businesses that are subject to the CCPA and that begin collecting COVID-19-related health information from their employees will need to provide, or update, a notice to that effect. This notice at collection must be given at or before the point at which an employer collects the personal information. It must be easy to read and understandable to consumers, list the categories of personal information the employer is collecting, and list the purposes for which the categories of personal information will be used. While employers subject to the CCPA should already have a notice at collection provided to their employees, it is important that the notice be updated to include notice of the type of health information being collected by employees in connection their returning to the workplace.

Employers should also be mindful to not use the information collected for any other purpose unrelated to the employment context. Otherwise, they run the risk of having the collected information fall outside the scope of the employee exception and thus subject to the rest of the privacy rights granted by the CCPA. It should also be noted that if a CCPA-covered business is collecting COVID-19 or other related health information outside of the employment context—for instance, from customers or visitors to their facilities—the business must include disclosures about its collection, use and disclosure of that information in its privacy policy and its CCPA disclosures.

Despite the countless other health and safety concerns businesses face as California and the rest of the country begins to reopen, it is important for them to remain compliant with the CCPA to avoid incurring any enforcement actions by the California Attorney General.


COVID-19, COPPA and the CCPA: Educators Face Privacy Questions as Students Move to Remote Learning

Superman and the CCPA: Not-So-Secret Identities and the Power of “Personal Information” under the California Consumer Privacy Act