As the California legislature closes its 2019 session, two new laws set to go into effect in January are rattling the HR and data privacy foundations of U.S. businesses, with aftershocks guaranteed.
Assembly Bill 5, which dictates how to determine if a worker is a contractor or an employee, has gotten plenty of press — its likely effect on gig economy companies makes for splashy headlines. But the California Consumer Privacy Act, which survived the session intact despite hard lobbying, will certainly shake up a much wider swath of companies.
The CCPA was signed into law in mid-2018 but goes into effect on Jan. 1, 2020, as does AB 5. Both are likely to affect businesses in the Golden State and beyond. The question for CFOs is, “How exposed are we?”
AB 5 drew media attention for its potential seismic effect on so-called “gig economy” giants like Uber, Lyft, DoorDash, Instacart and their ilk. At its core, AB 5 seeks to simplify the task of determining if a worker should be classified as an employee of a company or as a contractor by adding clarity to relevant guidelines. Employees have lots of rights, particularly in California, while contractors have comparatively few.
While AB 5 does have significant ramifications for gig economy companies, that’s just part of the story. Some traditional employers looked at the gig model, saw potential benefits to their bottom lines, and decided to adopt it for themselves. This is what got lawmakers writing.
Cities and the state have a big financial stake here as well: They’re missing out on significant revenue. California estimates (opens in new tab) that it’s losing more the $7 billion annually to misclassified employees.
The law codifies a 2018 California Supreme Court decision that found that a company, Dynamex Operations West, which offers same-day courier services, had improperly reclassed a large percentage of its workforce as contractors. In the process, it slashed benefits and forced couriers to use their own vehicles to make deliveries — Dynamex’s core business.
These actions were egregious enough that AB 5’s passage was never in question. Rather, the significant unknown was which businesses would be exempted from the new law. Wrangling went down to the wire and the list is a long one, with some very narrow carve-outs — and some not-so-narrow ones.
An excellent article (opens in new tab) by the L.A. Times outlines the rationale:
“Exempted workers include doctors, dentists, lawyers, engineers, accountants, architects, realtors, travel agents, graphic designers, human resources administrators, grant writers, marketers, fine artists, investment advisors and broker-dealers.
Several exemptions come with conditions. Commercial fishermen are exempt, except from unemployment insurance. Barbers, cosmetologists and manicurists are exempt only if they set their own rates, are paid directly by clients and schedule their own appointments. Salespersons are exempt, provided their pay is based on actual sales, rather than wholesale purchases or referrals.”
If it seems like some major lobbyists didn’t get the language they wanted, you’re right.
Biggest Loser, Silicon Valley?
What really got the attention of the press is that companies like Uber and TaskRabbit, which rely on armies of contractors, are not exempted from the law. Lobbying was intense on both sides of the question, but it was clear that progressive lawmakers were siding with workers (opens in new tab) who’d made such gigs their sole employment.
But don’t cry for Uber. In the panoply of corporations acting badly, gig companies stand out. In the face of competition, they’ve moved from relatively good treatment of their opt-in contract workers to progressively worse conduct. Consumers are also suffering as they’ve scaled back training and outsourced background checks to the point where workers need little more than a car and a pulse to drive.
None of that sits well with progressive lawmakers.
The gig companies, for their part, say that they’re different from the Dynamexes of the world since they never held out the promise of regular employment or benefits. They cite huge turnover rates and the fact that drivers set their own schedules and use their own equipment as three points to indicate their workers aren’t employees.
They have a somewhat sympathetic ear in California governor Gavin Newsom, who endorsed the bill this past Labor Day (opens in new tab) but has also recognized that gig workers don’t fit well into either definition. Newsom has urged gig companies to work with lawmakers and labor to develop a third classification that, in particular, enables workers to unionize and collectively bargain. Currently, only employees can form unions. The governor probably believes, correctly, that everyone will be happier if the companies and their workers sit down and hammer out a deal that, even if neither side is precisely happy, is at least workable.
If lawmakers set the rules, all bets are off.
What Does That Mean for Me?
Concerned CFOs, particularly those in California, should look to understand the Employee Classification Test codified by AB5. Though it’s stricter than the 11-part test that was established in the late 80s, it’s also easier to apply.
The so-called “ABC test (opens in new tab)” has three parts:
A worker is a contractor if all three of these are true:
In the original Dynamex ruling that drove AB 5, only certain worker rights were part of the decision; these include such core benefits as a minimum wage, worker’s compensation, and sick and family leave. In contrast, AB 5 provides workers with all employee rights and benefits if any of the above tests fail.
Gig businesses aren’t going to roll over. Without an exemption, they claim their costs will increase by about 30 percent, so the incentive to fight is significant. They’ve put some $90 million into a fund to drive a California ballot initiative (opens in new tab) in a bid to push the issue to voters. Uber and Lyft both say they won’t switch workers automatically to employees on Jan. 1, and other gig-based companies will likely follow suit.
Lawyers, start your engines.
For companies outside the gig economy, it’s time to take a look at your independent contractor lists. In California, the law will take precedence over one-off agreements: AB 5 specifically allows cities and the state to sue, regardless of arbitration deals in place. Individual workers will still have to abide by those agreements, but when they get to the table, mediators will have to consider the new law.
To understand their companies’ exposure, CFOs in California should work with HR teams to audit their contractors and apply the ABC test. Now is also the time to look at hiring practices for employees and non-employees more universally. Other states, particularly those like Massachusetts, New York and Illinois with strong employee protections, will almost certainly follow California’s lead. Right-to-work states almost certainly will not, no doubt setting up some fascinating B-school master’s theses on the eventual economic and societal results.
Of course, the IRS has been in the classification game for years, as there’s also significant federal revenue at stake. The feds have issued guidance on gig workers that allows for their contractor classification, but for most other industries, it’s a case-by-case consideration, with the IRS offering similar guidance (opens in new tab) to the ABC rule.
And of course, after the 2020 election, it’s anyone’s guess which way the IRS zags.
All this means that now is an excellent time for any company that uses contractors to look at its practices, with an eye to which way the wind is likely to blow in its state.
California Consumer Privacy Act
Earlier this year we wrote extensively (opens in new tab) on how privacy measures were affecting business in general and media in particular. Since then, a number of things have happened — none of them good for those whose businesses rely on processing personal information.
The just-ended California legislative session is notable for what the legislature didn’t do: Amend CCPA, California’s law that picks up the mantle established by the EU’s General Data Protection Regulation (opens in new tab), bringing to the United States most of GDPR’s protections and requirements for those who store or process personal information.
In August, six bills were reported out of committee (opens in new tab) before the legislature’s summer recess. With Sept. 13 marking the end of the session and a requirement that all bills be submitted in writing three days before they may be voted on, lobbying was intense to move the bills forward and provide relief or exemptions for some of the state’s biggest companies, Google and Facebook among them.
Some of the bills sought clarification of conditions of CCPA, mostly in a way that would water down its effect; others sought carve-outs or tinkered around the edges. In the end, none progressed. As of Jan. 1, the California attorney general has broad authority to fine any company using a consumer’s personal data in ways out of conformance with the law.
The EU Gets Serious
CCPA largely mirrors the protections and requirements of the EU’s GDPR, and that’s where more bad news lies. This year, EU regulators have levied (opens in new tab) fines totaling nearly 360 million euros, with British Airways ponying up about half of that. BA lost 500 million records to a cyber attack and didn’t have enough controls in place to protect the data, according to British regulators.
Compromised data is driving the biggest fines, but regulators aren’t stopping there.
Marriott saw the second largest fine, 99 million euros. Its Starwood affiliate was breached and lost 8 million unencrypted credit card records and 5 million user IDs and passwords. Google rounds out the Big 3. It was fined 50 million euros by French authorities for improper use of user data within its apps.
Meanwhile back on this side of the pond, New York failed to pass (opens in new tab) what would have been an even stiffer privacy law, one that introduced the idea a fiduciary responsibility around personal data that mirrors the responsibility of financial institutions to protect money in their trust. The law would have exposed companies to lawsuits for shabby protection of data and for doing anything that would diminish data’s value or harm the owner, like selling or trading personal information to third parties. Expect the New York bill to come up again, and probably become law within the next year or so, based on trends in the state. For example, recently New York did pass a law (opens in new tab) toughening data breach requirements. The new law allows for broader definitions of private, personal data and a more expansive definition of what constitutes a breach.
As the effective date for CCPA draws near, Business Roundtable executives are pushing (opens in new tab) for federal rules; petitioners include Amazon, IBM, Salesforce, Target and other heavy hitters. The rationale is clear: These laws are written to regulate any company that keeps data on a state resident and in that way don’t stop at the border. If states start creating their own data privacy laws, the ensuing regulatory patchwork will be almost unnavigable by businesses.
The specter of each state creating its own rules and bringing its own suits against violators is terrifying for the business community. The Roundtable envisions exactly that and is asking Congress to create a single, well-understood, equitable set of rules. This is not Congress’ strong suit, and with the House and Senate held by opposing parties, don’t look for federal action soon.
And Then There’s China
China is also getting into the privacy act, with an important differentiation from U.S. and EU laws: Its rule is less permissive of implied contracts when it comes to processing an individual’s data. China wants explicit consent.
In the EU and the United States, data processors are allowed to do their thing with personal data if an implicit contract exists. So, for example, if you ask Google Maps to get you from Point A to Point B, you’ve implicitly allowed Google to use your location data to get the job done. In China, you must get explicit agreement.
For the most part, China in 2019 has worked to pull together a variety of privacy rules from its various enforcement agencies and create one GRPR-like specification that describes what the state expects from data collectors and processors. The rules are so new that it’s difficult to assess how China will use them. But so far (opens in new tab), it’s been evaluating apps and sites to identify those that seek to capture “excessive” data.
With definitions of protected data broadening and more states and nations jumping into the act, CFOs should treat personal data collection as a risk that must be managed. Of the lot, GDPR is the best understood and exercised set of rules, and most others derive from it. Working toward compliance with GDPR will likely keep you in good stead with regulators, for now. But it’s important to watch enforcement of other rules as they go into effect.
Elements of managing risk include employee training, delegation of specific responsibilities to named officers, carefully protecting data in your possession and processing data only to the extent known and agreed to by the individual owner. Most companies will need to do work to come into compliance.
Right now, a focus on proper protection of data is most important. If your company is breached and private data in your control is not protected, expect a hefty fine. Compliance takes time, so waiting until CCPA’s January 2020 enforcement date is not a good idea.