AB 25 would exempt: "Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role" as such.
However, the California Senate altered the bill in a few key ways:
- Employers would be required to inform employees about what information they are collecting and why they are collecting it, and
- The law’s private right of action in cases of a security breach would apply to HR data.
A one-year sunset provision was also added, potentially setting the stage for a significant effort to regulate the use of HR data (such as monitoring performance) in California.
Why it matters: While AB 25 represents a step in the right direction, the one-year sunset provision may signal the beginning of an effort in California to regulate HR data specifically. Meanwhile, the drum beats on at the federal level, with the Business Roundtable publishing a letter signed by 51 CEOs urging Congressional action on a national, preemptive consumer data privacy bill.