Not so HR-y, HR.
California Consumer Privacy Act
By C.J. Pearl of Pearl Legal, APC
For a number of years, California has been at the forefront of consumer protections issues, whether it be its broad Business and Professions Code or the Consumer Legal Remedies Act. Now, California is moving to implement strong protections into consumer data through the California Consumer Privacy Act (“CCPA”).
CCPA, enacted in 2018 and taking effect on January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The regulations establish procedures to facilitate consumers’ new rights under the CCPA and provide guidance to businesses for how to comply.
So, what is the CCPA? In sum, it is an Act that provides protections to consumers including the following:
- The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;
- The right to delete personal information held by businesses and, by extension, a business’s service providers;
- The right to opt-out of the sale of personal information; and
- The right to non-discrimination in terms of price and service when a consumer exercises a privacy right under the Act.
But with these consumer protections also comes new, and often convoluted, requirements on businesses (like yours!) However, before freaking out, determine whether the Act applies to your business. Business affected by CCPA must meet one of the following requirements:
- Has at least $25 million in annual revenue;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices; or,
- Collects more than half of their revenues from the sale of personal data.
Importantly, companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
Now, if your company falls under the requirements of this new Act, what must it do? It must take actions, including, but not limited to, the following:
- Provide notice to consumers at or before data collection;
- Create procedures to respond to requests from consumers to opt-out, know, and delete;
- Respond to requests from consumers to know, delete, and opt-out within specific timeframes;
- Verify the identity of consumers who make requests to know or delete
In addition to the notice, the law specifies that companies must have a clearly visible footer on websites offering consumers the option to opt out of data sharing. If that footer is missing, consumers can sue. They can also sue if they can't find out how their information has been collected or get copies of that information.
The CCPA originally covered employee as well as consumer data. An amendment passed last April, however, exempts employee data from the regulation. Another amendment, AB 25, partially exempts personal information collected from job applicants, owners, directors, officers, medical staff, and contractors. This exemption would expire on January 1, 2021.
For more information, the office of the California Attorney General has provided this helpful fact sheet:
This is only a brief overview of the Act, and this newsletter is not intended to be legal advice. If you have any further questions or interest in discussing this further, please contact firstname.lastname@example.org or our legal partner, C.J. Pearl of Pearl Legal, APC in Irvine, CA (email@example.com).