On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will officially go into effect. Businesses must ensure they comply with the proposed regulations in the upcoming new year or face civil damages that could total up to $1 million.
For those who need a quick refresher, the CCPA aims to give California consumers increased transparency and control over how businesses use and share their personal information. The CCPA impacts a wide range of businesses as it applies to all entities doing business in California and those collecting consumers’ personal information.
As a business owner, you must be wondering, “Does the CCPA affect me?” To help you navigate the many requirements of the CCPA, here’s a quick breakdown of what the CCPA entails and how to approach it.
Does the CCPA Apply to My Business?
Businesses are subject to the CCPA if one or more of the following are true:
- Has gross annual revenues over $25 million;
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50-percent or more of annual revenues from selling consumers’ personal information.
If your business doesn’t meet any of these requirements, you may be exempt from the CCPA compliance.
On the other hand, businesses that handle the personal information of more than 4 million consumers will have additional obligations.
What Does This Mean?
Businesses subject to the CCPA must at minimum:
- Provide notice to consumers (on data collection practices) at or before data collection.
- Create procedures to respond to requests from consumers (to opt-out, know, and delete).
- Respond to requests from consumers within specific timeframes.
- Verify the identity of consumers who make requests.
- Not sell personal information of consumers under the age of 16 without explicit consent.
How Can I Ensure CCPA Compliance?
- Write out a description of the categories of personal information to be collected.
- Clarify the purposes for which the disclosed categories of personal information will be used.
- Use “plain and straightforward” language.
- Make the policy available in languages usually used to provide notices to employees.
- Make the policy accessible to employees with disabilities.
- Present the policy before collecting employees’ personal information.
- The technologies used to collect personal data;
- What third parties, or service providers, will have access to personal data, and;
- The purposes for which the third parties will use personal data.
Failure to include these kinds of disclosures in a policy may trigger an argument that the policy did not disclose information that a reasonable employee would want to know to make an informed decision.
CCPA Employee Exemption
Currently, the CCPA includes an “employee exemption” (AB 25) that distinguishes job applicants, employees, business owners, officers, medical staff, and independent contractors from consumers. This “employee exemption” has a one-year duration, giving the California legislature a one-year deadline to pass a separate employee privacy bill.
Nonetheless, the CCPA still requires employers to conduct the due diligence necessary to revise employee privacy notices. The employee exemption will only apply if the personal information is collected and used by the business, solely in the context of the person’s role or former role in that business.
The above information on the CCPA is a summary and is not exhaustive. Please consult with your attorney or Hackler Flynn Associates if you need assistance in determining how you or your business are affected by the CCPA.
DISCLAIMER: Content within this post should not be considered legal advice and is for informational purposes only. Communications made through this post do not create an attorney-client relationship. Hackler Flynn & Associates is not responsible for any content that you may access from third-party resources that may be accessed through or linked to this post.