WHAT DOES CCPA REQUIRE?
Generally speaking, CCPA requires businesses to disclose in a “notice at collection” the type of personal information it collects about its consumers and how that information will be used, including whether that information will be sold. “Personal information” is defined quite broadly to include “information that identifies, is related to, describes, is reasonably capable of being association with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
DOES CCPA APPLY TO ALL CALIFORNIA BUSINESSES?
No. CCPA currently applies to for-profit businesses in California that collect consumer personal information and either: (a) have annual gross revenue in excess of $25 million; (b) buy, receive for commercial purposes, sell, or share for commercial purposes personal information of 50,000 or more consumers, households, or devices in a year (not limited to those just in California); or (c) earn 50% or more of the annual revenue from selling consumer personal information. However, it is important to note that it applies both to businesses that collect information on-line as well as in-person at brick-and-mortar locations.
DOES CCPA PROTECT CALIFORNIA EMPLOYEES?
Yes. “Consumer” is broadly defined in the statute as “a natural person who is a California resident” and “personal information” is “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and expressly includes employment-related data.
Enforcement of CCPA by the California Attorney General has already commenced.
WHAT SHOULD BUSINESSES BE DOING NOW?
Karina B. Sterman is a partner in the Employment & Litigation Groups at Greenberg Glusker LLP. She can be contacted at
For reprint and licensing requests for this article, CLICK HERE.