CCPA: What You Need To Know About California’s Sweeping New Privacy Law
The California Consumer Privacy Act (the CCPA), effective January 1, 2020, defines sweeping new privacy rights for California residents—including the right to know what personal information businesses are collecting, how the information is used, and the right to request that the information be deleted—and in turn, places significant new responsibilities on businesses.
The CCPA creates rights surrounding a broad range of personal information, including identifiers such as a name, postal address, email address, or social security number, characteristics of protected classifications under California or federal law, and information related to internet activity, such as browsing and search history.
An amendment to the CCPA, A.B. 25, signed by Governor Newsom on October 11, 2019, clarifies data privacy requirements for employers with over $25 million in annual revenues or those who regularly deal in the collection of consumer data. With respect to personal information collected and used in the employment context, all that is required until January 1, 2021, is to inform employees, contractors, and job applicants of the following:
- the categories of information being collected, and
- the purpose for which the information will be used. This notice must be given at or before the time the information is collected.
Who Is Covered by the CCPA
The CCPA only applies to businesses that meet at least one of the following thresholds:
- Annual gross revenues exceeding $25 million or
- Buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices, or
- Derives 50% or more of its annual revenues from selling consumers’ personal information.
An entity that controls or is controlled by a business that meets at least one of the above criteria and shares common branding with that business is also covered by the CCPA.
How the CCPA Affects Personal Information Collected In the Employment Context (Jan. 2020-Jan. 2021)
A.B. 25 amended the CCPA to include a one-year sunset provision exempting certain types of personal information from many of the statute’s provisions. Specifically, employers are only required to disclose the type of information being collected, and the way in which the information will be used, with respect to the following:
- Information collected in the course of an individual acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of the business to the extent the information is used solely in the employment context.
- Personal information collected and used in the employment context for the above individuals.
- Personal information needed for a business to administer benefits for the above individuals.
Employers should also ensure they have implemented reasonable security measures to protect personal information. A.B. 25’s amendments do not suspend an individual’s right to file a civil lawsuit if a data breach occurs because a business failed to implement reasonable security safeguards.
Also of note, while this exemption purports to apply to information collected from contractors, this term is narrowly defined as “individuals working under a written contract,” and thus extra care should be taken when evaluating a business’ obligations with respect to personal information collected from independent contractors.
Background: The version of A.B. 25 that ultimately became law has been called a compromise bill, as a more employer-friendly version that would have excluded certain employment-related information from the CCPA entirely was passed by the Assembly in May of 2019. That bill was later amended by the Senate to include a Jan. 1, 2021 sunset clause and to require that businesses make the above disclosures to consumers in the interim year between the CCPA’s effective date (Jan. 1, 2020) and the exemption’s expiration date (Jan. 1, 2021).
Post-Jan. 2021 Obligations for Personal Information Collected in the Employment Context
While these employment-specific exemptions may be extended past January 1, 2021 through further legislation, employers should be prepared to comply with all of the CCPA requirements by 2021, including the following:
- A business’ obligation to disclose the specific pieces of personal information it has collected about a consumer to that individual.
- A business’ obligation to delete personal information collected about a consumer or notify consumers of their right to request deletion of this information.
- A business’ obligation to disclose information about its sale of a consumer’s personal information and a consumer’s right to opt out of the sale of his or her personal information.
Other Obligations Imposed on Businesses:
→ Disclosures to Consumers
The CCPA governs the collection, retention, disclosure, sale, and deletion of “personal information.” Personal information is all-encompassing: any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or household. “Consumers” include all California residents.
The CCPA requires businesses to disclose the categories of personal information they collect and the purpose for which the information will be used, at or before the point of collection. Businesses must also inform consumers of their right to request deletion of their personal information, disclose any financial incentives offered for the collection, sale, or deletion of personal information, and to the extent that a business sells personal information, inform consumers of their right to opt out of this sale.
In response to a verifiable request from a consumer, a business must provide a detailed description of:
- The categories of personal information it has collected about the consumer,
- The categories of sources from which the personal information is collected,
- The business or commercial purpose for collecting or selling personal information,
- The categories of third parties with whom the business shares personal information, and
- The specific pieces of personal information the business has collected about the consumer.
A business that sells personal information or discloses the information for business reasons must make similar disclosures upon receipt of a consumer request:
- The categories of personal information that the business collected about the consumer,
- For each third party to whom the information was sold, the categories of personal information that were sold to that entity, and
- The categories of personal information the business disclosed for a business purpose.
→ Disclosures in Privacy Policies and on Website
- A description of consumers’ rights under the CCPA and one or more designated methods for the submission of consumer requests.
- A list of the categories of personal information the business has collected in the preceding 12 months and, for each category, a description of the source of the information, the business or commercial purpose for collecting the information, the categories of third parties with whom the information is shared, and the specific information collected.
- A list of the categories of personal information sold in the preceding 12 months, or a statement that no information has been sold.
- A list of the categories of information disclosed for a business purpose during the preceding 12 months, or a statement that no information has been disclosed.
These disclosures should be updated at least every 12 months. Further, businesses must ensure that the individuals responsible for handling consumer inquiries about the business’ privacy practices or compliance with the CCPA are informed of the statute’s requirements.
→ Deletion of Information
Upon receipt of a consumer’s request that a business delete their personal information, the business must comply and must direct any service providers to do the same, unless the information is necessary for one of nine enumerated purposes. Acceptable reasons for declining a request to delete personal information include: enabling solely internal uses of the information that are reasonably aligned with the consumer’s expectations, complying with a legal obligation, or completing a transaction for which the information was collected.
→ Consumer Requests for Information and Timeline for Responding
A business must offer at least two methods for consumers to submit requests for information, including a toll-free telephone number. Businesses that operate exclusively online and maintain direct relationships with consumers need only offer an email address where requests can be submitted. Businesses that have websites must allow requests to be submitted through their website.
When a verifiable consumer request is received, the business has 45 days to disclose the requested information. The CCPA authorizes one 45-day extension where reasonably necessary, and a second extension of up to 90 days as long as the business informs the consumer of the extension within 45 days of the initial request and explains the reasons for the delay.
A business is required to provide personal information in response to a consumer request up to two times in a 12-month period. The disclosures mandated by the CCPA must be made free of charge and can be communicated by mail or electronically. Electronically produced materials must be in a portable and readily useable format that the consumer can transmit to a third party, unless production in this manner is not technically feasible. To the extent that a consumer maintains an account with the business, the disclosure should be made through that account.
→ Repercussions for Violating the CCPA
The CCPA authorizes a private right of action only when a consumer’s non-encrypted or non-redacted personal information is subject to a data breach due to a business’ failure to adopt reasonable security practices to protect the information. Prior to initiating such an action, the consumer must first provide 30 days’ written notice to the business. During this time, the business has the opportunity to cure the alleged violation and avoid a lawsuit. The CCPA provides that a Plaintiff consumer may recover statutory damages between $100 and $750 or actual damages, whichever is greater. Consumers can also seek any relief the court may deem proper, including declaratory and injunctive relief.
Other alleged violations of the CCPA, including violations of its non-discrimination provision, must be prosecuted by the Attorney General. A business that unintentionally violates the CCPA may be liable for a civil penalty of $2,500 per violation while an intentional violation could result in a $7,500 penalty per violation. The Attorney General will adopt implementing regulations no later than July 1, 2020.
Items Outside of the CCPA’s Scope
A business may be excepted from the CCPA’s directives to the extent necessary to: comply with the law, comply with an investigation by the authorities, cooperate with law enforcement agencies, or exercise or defend legal claims. Similarly, the CCPA is not intended to limit attorney-client privileged communications. The CCPA further authorizes the use of private information that is de-identified or in the aggregate (information relating to a group of consumers from which individual identities have been removed or information that cannot reasonably be associated with or linked to a particular consumer and is further protected by enumerated safeguards) and the collection or sale of personal information where every aspect of the commercial conduct takes place wholly outside of California.
Certain information, businesses, and uses of information are specifically excluded from the CCPA’s coverage. Among other things, the CCPA does not apply to: medical information, certain healthcare providers, information collected as part of certain clinical trials, the sale of personal information to or from a credit reporting agency if the information will be used to generate or reported in a consumer report.
There is a lot to know about the CCPA, and it may seem daunting. If you have questions or would like assistance preparing a compliant disclosure form, please contact Dan Handman or China Westfall.
Dan Handman is a partner in Hirschfeld Kraemer LLP’s Santa Monica office. He can be reached at (310) 255-1813, or email@example.com. China Westfall is an associate in Hirschfeld Kraemer LLP’s San Francisco office. She can be reached at (415) 835-9067 or firstname.lastname@example.org.