Think The New Consumer and Employee Privacy Laws Don’t Reach Your Business? Think Again.
Background for Employers
In 2018, the California Legislature enacted the California Consumer Privacy Act (“CCPA,” Civil Code section 1798.100, et seq.) As originally enacted, the CCPA created privacy rights for “consumers” – specifically regarding the personal information that businesses collect about them. Notably, “consumers” is broadly defined under the CCPA as a natural person who resides in California, but California employers were largely spared from obligations under the original incarnation of the CCPA, other than providing notice of rights under statute.
In 2020, by voter initiative, the CCPA was modified and expanded by the California Privacy Rights Act (“CPRA”). Among other changes, employees, job applicants, and independent contractors are now considered “consumers.” Thus, if a business is “covered,” it must comply with the CCPA not only as to its customers and potential customers but as to its employees, job applicants, and independent contractors.
(The CCPA and CPRA are together referred to as the “CCPA” throughout this post.)
What Businesses/Employers Are Covered Under the CCPA?
Generally, for-profit entities doing business in California that collect consumers’ personal information, whether directly or through a third party, who meet any one of the following:
- Buy, sell, or share the personal information of 100,000 or more California residents or households;
- Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information; or
- Have gross annual revenue of over $25 million for the prior calendar year.
“Selling” and “sharing” also have specific definitions under the CCPA. “Selling” is straightforward: it means providing a consumer’s personal information to others for monetary or other consideration. “Sharing” is different, but still has a profit motive: it essentially means providing a consumer’s personal information to others for cross-context behavioral advertising, (i.e., targeted advertising), regardless of whether there is a monetary payment/other consideration.
Importantly, even if an employer’s business model has nothing to do with selling or sharing of consumer’s personal information, the fact that employees, applicants and independent contractors are “consumers” means that an employer is “covered” if it meets the $25 million gross revenue threshold.
When Do Businesses/Employers Have To Comply?
Covered businesses/employers were required to comply with the CCPA as of January 1, 2023, and final regulations were issued on March 29, 2023. However, the California Chamber of Commerce obtained an injunction, delaying enforcement of the new regulations for one year from the date the regulations were issued, or until March 29, 2024.
What Rights Do Consumers (Including Employees, Applicants and Independent Contractors) Have Under the CCPA?
The California Privacy Protection Agency (CPPA), the new agency created to enforce CCPA rights, aptly used the acronym “LOCKED” (Limit, Opt-Out, Correct, Know, Equal, and Delete). Consumers have the right to:
L –LIMIT the use and disclosure of sensitive personal information collected about them. (“Sensitive Personal Information” is a subset of “Personal Information”: think Social Security numbers; Driver’s License numbers; financial account access information; precise geolocation information; contents of mail, email, and text messages; genetic data; biometric information; and/or information about a consumer/employee’s health, sex life, sexual orientation, racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.)
O –OPT-OUT of the selling or sharing (as defined above) of their personal information.
C –CORRECT inaccurate personal information collected about them.
K –KNOW what personal information is being collected about them, including the categories of personal information collected, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom personal information is disclosed, and the specific pieces of personal information collected.
E –EQUAL treatment. Businesses cannot discriminate against consumers for exercising their CCPA rights.
D –DELETE personal information collected from them (subject to some exceptions).
What Steps Do Employers/Businesses Have to Do to Comply with the Revised CCPA:
- Step 1: Inventory Personal Information Collected
Covered businesses/employers first need to map what personal information of their consumers (including employees, applicants and independent contractors) they collect, what it is used for, and how long it is retained. - Step 2: Create and Distribute a Privacy Policy and “Notice at Collection” for Consumers
Once the foregoing mapping is complete, covered businesses/employers must provide notice of consumers’ rights and also provide methods by which consumers can exercise these rights. The CCPA requires that covered businesses/employers post an online privacy policy on their website that provides a comprehensive description of the business’s information practices, informs consumers about their rights under the CCPA and provides information necessary to exercise those rights. Similarly, covered businesses/employers need to provide a “Notice at Collection” to consumers – before any personal information is collected about them – that spells out what personal information is collected, for what purpose, for how long it is retained, and that provides notice of the aforementioned rights. - Step 3: Reasonably Limit the Collection, Use and Retention of Consumer’s Personal Information
Additionally, covered businesses/employers must limit the collection, use, and retention of consumers’ personal information to only those purposes that: (1) a consumer would reasonably expect, (2) are compatible with the consumer’s expectations and disclosed to the consumer, or (3) purposes that the consumer legitimately agreed to. Bottom line: the collection, use, and retention of consumer information must be reasonably necessary and proportionate to the above purposes. - Step 4: Timely Acknowledge and Respond to Consumer Requests to Exercise CCPA Rights
Covered businesses/employers also need to set up a procedure to receive and timely respond to consumer requests to exercise their rights under the CCPA (as noted above). Generally, for requests to delete, correct, or know, covered businesses/employers must confirm receipt of the request and provide information about how it will process the request no later than 10 business days after receiving the request. The business /employer must respond to the request no later than 45 calendar days after receipt. A covered business/employer must comply with a request to opt-out or limit no later than 15 business days after receiving the request.
What If My Company Does Not Comply?
A consumer whose personal information is subject to unauthorized access and disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices may bring a civil action for statutory damages on an individual or class-wide basis (after a 30-day cure period) to recover damages between $100 to $750 per consumer per incident, or for actual damages, whichever is greater.
Additionally, the State of California (through the California Attorney General) can bring a civil action against a business for violation of the CCPA to recover civil penalties of $2,500 to $7,500 per violation. As with class actions, these relatively small amounts can add up quickly and lead to multimillion dollar liabilities. The CPPA may also bring an administrative enforcement action to recover such penalties.
How Do I Get My Business Compliant?
Each step of this process is complex and time intensive. It should only be undertaken with counsel. Hirschfeld Kraemer’s employment lawyers are available to guide you through this process and make sure you will become compliant with the CCPA as quickly and efficiently as possible.
For more information, contact Monte Grix in the Los Angeles, or Jenna Rogenski in the San Francisco office of Hirschfeld Kraemer LLP. Monte can be reached at 310-255-1827 or mgrix@hkemploymentlaw.com. Jenna can be reached at 415-835-9009 or jrogenski@hkemploymentlaw.com.