Posted: August 22, 2019 |
The California Consumer Privacy Act ("CCPA"), which goes into effect January 1, 2020, imposes new privacy regulations on businesses throughout California. It will affect how businesses interact with consumers as well as employees.
To which businesses does the CCPA apply to?
Generally, the CCPA applies to all for-profit entities that collect and process the personal information of California residents and that meet at least one of the following criteria: (1) $25 million annual gross revenue, (2) 50% revenue derived from selling personal information, or (3) receive, buy, or share personal information relating to 50,000 consumers annually.
Does the CCPA apply to your business?
The CCPA is very broad. "Collect" means gather, receive, obtain, buy, rent, or access any personal information about a consumer by any means. This includes receiving personal information from a consumer, either actively or passively, or by observing the consumer's behavior.
"Personal information" means information that identifies, or could reasonably be linked, directly or indirectly to, a particular consumer or household. This includes common categories like name, social security number, address, bank information, as well as broader categories like IP address, email address, account name, purchasing history, internet activity, and / or geolocation data.
As an example, if a business collects the IP addresses of visitors to its website and that website receives 137 unique visitors per day which is more than 50,000 per year, then the CCPA applies based on the third criteria listed above. The business would meet the third criteria listed above because it receives the personal information of 50,000 consumers per year.
Why does the CCPA matter?
The CCPA provides consumers with new rights. Consumers will have a right to know what personal information a company collects, sells, or discloses, the company's business purpose for the collection or sale of the information, and the categories of third parties with whom the company shares that information. Consumers will have the right to request deletion of their personal information unless an exception applies. Consumers will also have the right to opt out of the sale of their personal information and be free from discrimination for electing to do so. Receiving a deletion request from a consumer also creates an obligation for the company to notify its service providers to delete the consumer's personal information from their records. Depending on the amount of information a company collects from consumers, responding to consumer requests could result in the expense of considerable resources.
Does the CCPA impact the way businesses handle employee information in addition to consumer information?
Yes, the CCPA requires employers to disclose to employees and job applicants the categories of personal information they collect and the purpose for which the information is used. Additionally, like consumers, employees will be able to make requests to their employers that allow them or their attorneys to obtain documents and records that contain their personal information. This creates a new avenue of pre-litigation discovery for employees in addition to their existing right to request personnel and payroll files. The California Legislature has recently moved to give employers more time to comply with this portion of the CCPA by introducing Assembly Bill 25. If Assembly Bill 25 passes, employers will have until 2021 to respond to employees' personal information requests under the CCPA.
Does the CCPA create a risk of litigation?
Yes, the CCPA provides consumers and employees a special right to sue a company directly if their information is subject to a data breach as a result of the company's failure to implement reasonable security practices and procedures. This opens the door to litigation where there has been no financial injury to the consumer. This special right is known as a Private Attorney General Action and allows an individual to sue on behalf of all similarly situated persons, which can greatly increase the amount of recoverable penalties. All other aspects of the CCPA, except for the data breach provisions, may only be enforced by the state attorney general.
What should your business do to comply with the CCPA?
Contact legal counsel for assistance with applying the law to the unique needs of your business.
Establish written security and privacy policies and update websites to provide all required notices.
Develop systems to receive, track, and timely respond to consumer requests related to the CCPA, including a toll-free telephone number and an e-mail address.
Conduct a comprehensive data security risk assessment for all personal information your company holds.
Train employees on how to implement and maintain security practices and procedures.
Keep an eye out for further guidance to be released by the California Attorney General in the coming months.
How much time does your business have to comply with the CCPA?
Be aware that the CCPA is being updated and revised regularly. There are several proposed changes pending before the state legislature. The California Attorney General will release guidance on how to implement the law, but it is unclear when that will happen. For now, enforcement of the CCPA will begin six months after the Attorney General's regulations are released, or on July 1, 2020 at the latest.
If you have any questions about how the CCPA could affect your business, our attorneys are available to provide guidance on this rapidly evolving issue.