With the all-encompassing distraction of keeping up with the evolving COVID-related guidance, ordinances, and regulations, many employers have forgotten the other looming problem with a capital “C” – California Consumer Privacy Act (CCPA). With its misleading title, many businesses believe it is only outward facing, toward their consumers. However, aspects of the CCPA apply inwardly to employees, and, nearly a year after it went into effect, the increased experience of remote work has made compliance with its mandates even more crucial.
WHAT DOES CCPA REQUIRE?
Generally speaking, CCPA requires businesses to disclose in a “notice at collection” the type of personal information it collects about its consumers and how that information will be used, including whether that information will be sold. “Personal information” is defined quite broadly to include “information that identifies, is related to, describes, is reasonably capable of being association with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The “notice at collection” on a website needs to link to the Privacy Policy and, if personal information will be sold, a link to the Do Not Sell page. Businesses must provide consumers with a simple-to-use mechanism to opt out of allowing the business to use or sell that personal information, subject to some limited exceptions. Failure to comply with CCPA could result in civil penalties from $2,500 to $7,500, depending on whether the violation is intentional, although such penalties are only available to California residents.
Generally speaking, a business may not deny goods or services, or charge a different price for the goods or services, if a consumer has exercised rights under the CCPA. However, businesses may do the inverse and offer discounts and promotions to consumers who agree to allowing the business to collect or sell personal information.
The full statement of the law is set out in CA Civil Code Sections 1798.100 – 1798.199. However, the CCPA remains a slightly moving target in that several legislative moves have been made to amend the statute further. Most recently, on March 15, 2021, the California Office of Administrative Law approved further revisions to the law. Even before this, however, numerous class actions have already been filed alleging various violations of the CCPA and testing its application to non-California plaintiffs utilizing the services of a California business while in California.
DOES CCPA APPLY TO ALL CALIFORNIA BUSINESSES?
No. CCPA currently applies to for-profit businesses in California that collect consumer personal information and either: (a) have annual gross revenue in excess of $25 million; (b) buy, receive for commercial purposes, sell, or share for commercial purposes personal information of 50,000 or more consumers, households, or devices in a year (not limited to those just in California); or (c) earn 50% or more of the annual revenue from selling consumer personal information. However, it is important to note that it applies both to businesses that collect information on-line as well as in-person at brick-and-mortar locations.
DOES CCPA PROTECT CALIFORNIA EMPLOYEES?
Yes. “Consumer” is broadly defined in the statute as “a natural person who is a California resident” and “personal information” is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and expressly includes employment-related data.
Enforcement of CCPA by the California Attorney General has already commenced.
WHAT SHOULD BUSINESSES BE DOING NOW?
Update, train and prepare.
• Update written policies and practices across all company websites that collect information, even job applicant information. Make sure the privacy policy and opt-out mechanisms are drafted and programmed correctly. And, while you’re at it, make sure your website complies with the Americans with Disabilities Act (ADA). California businesses have seen waves of lawsuits for ADA violations by websites.
• Train employees to comply with CCPA. For example, while employers may have automated CCPA-compliant controls for their online data collection of consumer personal information, COVID-related safety protocols have crossed over into CCPA territory. Specifically, many businesses are taking the temperature of their customers and visitors on premises before letting them in. Such information falls squarely in the definition of “personal information” and must be handled appropriately so as not to violate CCPA.
• Prepare for the upcoming changes. In July of 2021, the California Privacy Protection Agency (CalPPA), the first privacy enforcement agency in the country of its kind, is expected to take over additional CCPA rulemaking. CCPA is not going away.
Karina B. Sterman is a partner in the Employment & Litigation Groups at Greenberg Glusker LLP. She can be contacted at [email protected].
Return to Event Page
