As we move closer to implementation of the California Consumer Privacy Act of 2018 (“CCPA”), companies should consider how the new law could affect their operations in multiple ways – including, for example, data collected through their employee benefit plans.
As we have previously reported, the CCPA applies broadly to any for-profit business that meets certain thresholds and that collects personal information regarding consumers. While use of the term “consumer” may suggest a particular type of relationship, the term is defined broadly to include any California resident – and as a result, in its current form the CCPA also will apply to information collected by covered businesses about their California employees. Whether the CCPA also applies to data collected about California residents under employee benefit plans of covered businesses will likely depend in part on the type of plan:
- Health Plans. Following its amendment in September 2018, the CCPA includes an exemption for protected health information (“PHI”) collected by a covered entity or business associate subject to the HIPAA privacy rules. Because employer-sponsored health plans are HIPAA-covered entities, any PHI held by a self-insured plan and subject to HIPAA will be outside the reach of the CCPA. The exemption also applies to PHI held by business associates, such as third-party administrators for health plans. However, certain other health-related information that is held by an employer outside of the health plan – such as information related to disability benefits or sick leave – is not covered by this exemption.
- Retirement and other ERISA Plans. The CCPA does not specifically address its application to benefit plans not covered by HIPAA. For plans that are subject to the Employee Retirement Income Security Act of 1974 (“ERISA”), such as 401(k) plans and other qualified retirement plans, it is possible that the CCPA could be preempted by ERISA – but unlike the health plan exemption, it is not clear from the statute.
- In general, ERISA preempts state laws that govern a central matter of plan administration or that impermissibly interfere with nationally uniform plan administration. For example, in its 2016 decision in Gobeille v. Liberty Mutual Insurance Company, the U.S. Supreme Court held that ERISA preempted a Vermont law requiring various entities, including self-insured plans and third party administrators, to report payments relating to health care claims and other information regarding health care services.
- The CCPA imposes new requirements regarding retention and deletion of personal information, and certain disclosures regarding use of personal information. Because reporting, disclosure and recordkeeping are key areas of regulation under ERISA, it is possible the law could be preempted on the basis that it impermissibly interferes with plan administration. In the absence of further guidance, however, it is not certain to what extent preemption would apply – and it is also possible that a court could find that ERISA preempts some aspects of the law but not others.
- Non-ERISA Benefits and Employment Practices. Even if the CCPA is ultimately determined to be preempted in the context of ERISA plans, it will still apply to data collection by an employer in its capacity as an employer, as well as data related to benefits and policies not covered by ERISA. This includes information collected by an employer in connection with administering vacation, sick leave, paid time off or leaves of absence. Other benefits that are generally not subject to ERISA include health savings accounts, dependent care flexible spending accounts, many short-term disability plans and certain voluntary benefits.
The California State Legislature is expected to consider more changes to the CCPA in 2019 – so we may receive more guidance about the application of the law in the employment context. In the meantime, employers and benefit plan sponsors subject to the CCPA will want to consider how the new law could apply to their own benefit plans and the data of their plan participants and beneficiaries. Since many plans are administered by third party record-keepers, employers and plan sponsors may also want to reach out to their vendors to ask about any plans being put in place to comply with the CCPA.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code