As if companies doing business in California didn’t already have enough compliance challenges, the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020.
The purpose of the law is to grant a number of new rights to California consumers to control their personal information. A “consumer” is defined as a natural person who is a California resident. Under the CCPA, the additional rights for consumers include:
· The right to know what personal information is collected, used, shared, or sold. This includes categories of personal information and the personal information itself.
· The right to opt-out of the sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information, subject to some exemptions.
· The right to non-discrimination in the terms of price or service when a consumer exercises a privacy right under the CCPA.
A business is covered by the CCPA if one or more of the following apply:
· Gross annual revenues of $25 million or more.
· Buying, receiving, or selling the personal information of 50,000 or more California consumers, households, or devices. That number can be met quickly, as 137 contacts per day with CA residents through, for example, a website, can add up to 50,000 consumer contacts per year.
· Deriving 50 percent or more of annual revenues from selling consumers’ personal information.
Businesses covered by the CCPA have a number of obligations:
· Provide notice to consumers before collecting data
· Verify identity of consumers who make requests to know and delete data
· Create procedures to handle opt-out requests, if applicable
· Respond to consumer requests within specific timeframes
Two recent CCPA amendments somewhat limit CCPA application relating to employee rights and business-to-business situations. The changes are small in scope and only last until January 1, 2021, unless further action is taken by the state to extend the amendments or change the overall law. A summary of the amendments is as follows:
· Employee rights limitations:
o Personal information that businesses collect about job applicants, employees, owners, directors, officers, and contractors will be exempt from a request to know or delete information that the employer or former employer collected about a job applicant, employee, owner, etc.
· Business-to-business limitations:
o Excludes CCPA coverage for individuals whose personal information is collected in a business-to-business context
If businesses subject to the CCPA haven’t already finished, they should be in the final stages of preparing to comply with the law. Steps to consider include:
· Creating a data flow map or data inventory to understand all the ways in which personal information is obtained, the types of personal information collected and shared, the purposes for which the personal information is used, the parties with whom personal information is shared with and why, and how personal information is retained and secured.
· Regarding disclosures, identify all vendors and other third parties with which personal information is being shared.
· Consider running an internal test to assess the company’s preparedness in responding to a consumer request to access and/or delete their personal information. Think about the ability to do the following:
o Verify the validity of the request
o Find all the relevant personal information
o Provide all the information the CCPA requires in a disclosure
o Remove all the personal information from the company’s systems, or establish a legal basis for retention
o Honor a “do not sell” request, if applicable
Because the law was rushed through and not written in a completely clear manner, a number of questions on CCPA compliance remain. The California Office of the Attorney General (OAG) is reportedly going to issue clarification on the law at some time this month. Watch for updates from myHRcounsel as more information becomes available.