Starting January 1, 2020, the California Consumer Protection Act (CCPA) takes effect, with enforcement of the law beginning July 1. This bill will affect businesses that meet any of the following criteria:
1) The business has annual gross revenues over $25 million;
2) The business receives, sells, or shares personal information about more than 50,000 CA consumers, households, or devices annually;
3) The business earns more than half of its annual revenue from selling consumers’ personal information.
In order to be compliant with the CCPA, first one must understand the definitions of phrases in the act. Personal information is broadly defined as anything that identifies, relates to, or can be reasonably be linked to a specific household or consumer. Examples of personal information include names, addresses, Social Security numbers, etc.
We’re here to help
If you have questions about CCPA compliance as an employer, ask a lawyer.
What consumer rights are covered by the law?
The CCPA provides consumers with numerous rights, that if exercised will require a bit of backend work on the business’ part. Consumers have the right to request the following: the specific information a business has collected about them, how the information will be used, if any third parties will have access to it, and the purpose of collecting that information. Businesses must provide an answer to all verifiable requests within 45 days.
Consumers can also request that their personal data be deleted by a business. Similar to the GDPR’s “Right to be Forgotten”, there are limitations to data deletion, which include:
- Legal compliance and other legal purposes
- Security purposes
- The data is needed to complete a transaction or service requested by the customer
Does CCPA apply to employee data?
One of the big questions surrounding the CCPA is if it applies to employee data. Assembly Bill 25 (AB-25) has been added as an amendment to the CCPA, as a temporary solution. The bill exempts employers until January 1, 2021, to be compliant under the CCPA regarding employee and job applicant data when the information is being used for human resource purposes. After this exemption period, employees will be awarded the same rights.
How do I comply with CCPA as an employer?
These policy updates should reflect all the required CCPA disclosures:
- An opt-out from the sale of consumer data
- Categories of information collected within the last 12 months and their sources
- Description of the new rights of CA residents
- How to submit a data deletion request
- Purpose of data collected
- List of categories for all personal information disclosed within the last 12 months
At first glance, CCPA compliance may seem like a daunting task due to employers having to comply not only for consumers but also for their CA employees. Luckily for employers, the California legislature has allowed a six month grace period for CCPA consumer compliance and a year-long grace period regarding employee data. If you follow the tips and tricks above and get a head start on revamping your data collection practices, your business will be in good shape for the upcoming year.
If you have questions about how CCPA applies to your business, ask a lawyer.