Until January 2021, employers are not legally required to handle employee data in the same manner as consumers under the California Consumer Privacy Act. However, experts recommend scrutinizing employee and contractor data to avoid litigation and challenges to regulatory changes in California and elsewhere in the future.

In a webinar titled "Bracing for the Wild Ride in Data Privacy Regulation," sponsored by Corporate Counsel and LexisNexis on Thursday, Mark Brennan, a global innovation partner at Hogan Lovells in Washington, D.C., said that while the CCPA was being crafted, there was not total clarity on what should be done about employee personal information.

"There was not, at the time, an alternative framework for employee data," Brennan said.

In October, however, Assembly Bill 25 was signed into law. The law exempted employers for one year from complying with the CCPA with respect to a person who is an employee, job applicant or director or officer. AB25 sunsets at the end of the year and employees will then be granted the same protections from their employers guaranteed to consumers under the CCPA.

Although AB25 is active for the next nine months, employees still have the option to sue their employers over data breaches, Sean Nalty, a shareholder at Ogletree, Deakins Nash, Smoak & Stewart in San Francisco, said in an interview with Corporate Counsel on Friday. That exemption coupled with the broad terms of the CCPA could lead to heavy fines.

"Each piece of personal information that is subject to the breach can lead to damages of between $150 and $750 per breach," Nalty explained. "It is important that companies make sure their culture and standards are focused on data privacy protections."

Philip Yannella, a partner at Ballard Spahr in Philadelphia, said in an interview with Corporate Counsel on Friday that in-house counsel should remember some of the most sensitive data companies hold in their employees' personal information.

"We work with a lot of California businesses to beef up their arbitration clauses to include the CCPA private right of action to provide some protection against such claims," Yannella said.  "This can be challenging because California plaintiffs lawyers have been very creative in finding new ways around arbitration clauses and California courts, generally speaking, have been reluctant to enforce arbitration clauses."

Data mapping is one key way to track that sensitive information. Brennan said that legal departments should be partnering with human resources to see how their employee data is being used.

"If you're already going through the resource expenditure to do the data mapping for other types of data, you can tack this on easily," Brennan said.

It is unclear if AB25 will be amended, though Yannella believes it is likely it will continue past its current expiration date of Jan. 1, 2021.

"AB25 had a lot of support and there are some very good reasons not to extend all consumer rights to employees under the CCPA. My hunch is that the employee carve-out will be extended beyond 2021, and perhaps permanently," Yannella said.