On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) will officially go into effect. Businesses must ensure they comply with the proposed regulations in the upcoming new year or face civil damages that could total up to $1 million.

For those who need a quick refresher, the CCPA aims to give California consumers increased transparency and control over how businesses use and share their personal information. The CCPA impacts a wide range of businesses as it applies to all entities doing business in California and those collecting consumers’ personal information.

As a business owner, you must be wondering, “Does the CCPA affect me?” To help you navigate the many requirements of the CCPA, here’s a quick breakdown of what the CCPA entails and how to approach it.

Does the CCPA Apply to My Business?

Businesses are subject to the CCPA if one or more of the following are true:

  • Has gross annual revenues over $25 million;
  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
  • Derives 50-percent or more of annual revenues from selling consumers’ personal information.

If your business doesn’t meet any of these requirements, you may be exempt from the CCPA compliance.

On the other hand, businesses that handle the personal information of more than 4 million consumers will have additional obligations.

What Does This Mean?

Businesses subject to the CCPA must at minimum:

  • Provide notice to consumers (on data collection practices) at or before data collection.
  • Create procedures to respond to requests from consumers (to opt-out, know, and delete).
  • Respond to requests from consumers within specific timeframes.
  • Verify the identity of consumers who make requests.
  • Not sell personal information of consumers under the age of 16 without explicit consent.

How Can I Ensure CCPA Compliance?

If your business meets the requirements proposed in the CCPA, then you must review their Privacy Policy with your employees. Unfortunately, the CCPA does not clearly state what must be included in the Privacy Policy. Currently, the only official guidance on how to draft and implement CCPA-compliant employee privacy policies is detailed in the Attorney General’s (AG) draft regulations. However, the AG regulations are not final and do not distinguish between policies that must be provided to employees and those that must be provided to consumers.

Here are a few best practices for your Privacy Policy to insulate your business against any claims of “unfairness” and “deception”:

  • Write out a description of the categories of personal information to be collected.
  • Clarify the purposes for which the disclosed categories of personal information will be used.
  • Use “plain and straightforward” language.
  • Make the policy available in languages usually used to provide notices to employees.
  • Make the policy accessible to employees with disabilities.
  • Present the policy before collecting employees’ personal information.

We would also recommend additional disclosures in your Privacy Policy relating to:

  • The technologies used to collect personal data;
  • What third parties, or service providers, will have access to personal data, and;
  • The purposes for which the third parties will use personal data.

Failure to include these kinds of disclosures in a policy may trigger an argument that the policy did not disclose information that a reasonable employee would want to know to make an informed decision.

CCPA Employee Exemption

Currently, the CCPA includes an “employee exemption” (AB 25) that distinguishes job applicants, employees, business owners, officers, medical staff, and independent contractors from consumers. This “employee exemption” has a one-year duration, giving the California legislature a one-year deadline to pass a separate employee privacy bill.

Nonetheless, the CCPA still requires employers to conduct the due diligence necessary to revise employee privacy notices. The employee exemption will only apply if the personal information is collected and used by the business, solely in the context of the person’s role or former role in that business.

Under AB25, employers must not use personal information for a purpose not disclosed in the policy. Thus, an employer’s privacy policy must cover all of the employer’s different purposes for processing an employee’s personal information.

This upcoming year, your Privacy Policy must now be more transparent than ever. Make sure to update your policy and detail everything pertaining to data collection to ensure CCPA compliance.

The above information on the CCPA is a summary and is not exhaustive.  Please consult with your attorney or Hackler Flynn Associates if you need assistance in determining how you or your business are affected by the CCPA.

DISCLAIMER: Content within this post should not be considered legal advice and is for informational purposes only. Communications made through this post do not create an attorney-client relationship. Hackler Flynn & Associates is not responsible for any content that you may access from third-party resources that may be accessed through or linked to this post. Hackler Flynn & Associates is only licensed to practice in California.

Your html code will go here