Generally, the California Consumer Privacy Act (CCPA) protects all the “personal information” belonging to “consumers.” The term “consumers” refers to California residents, and the term “personal information” has an expansive definition that refers to any individually identifiable data about the users.
Not all companies are covered by the CCPA. Businesses located in and outside of California must comply with the CCPA if they fall under one or more of the following categories:
- they have gross annual revenues of more than $25 million;
- they buy, receive, or sell personal information of 50,000 or more consumers, households, or devices; or
- they earn 50% or more of their annual revenues from selling consumers’ personal information.
Assembly Bill 25 (AB-25) gave employers a temporary reprieve from complying with most aspects of the CCPA. However, it is only a 12-month exemption from CCPA obligations with respect to information collected by a business “in the course of a natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business.”
Under AB-25, employees and job applicants are not considered “consumers” under the CCPA; therefore, they do not obtain the privacy protections afforded under the CCPA. There are two caveats, however, where businesses still have a duty to comply with the CCPA: (1) disclosure requirements and (2) safeguarding requirements.
Starting January 1, 2020, employers must provide privacy notices to employees that describe what personal information will be collected and how it will be used. This notice is due “at or before the point of collection.”
The CCPA affords California residents a private cause of action for a data breach, either as an individual claim or as a class-action lawsuit. When a company has failed to take reasonable security measures to protect consumers’ data (including that of employees and job applicants), it could face statutory damages of between $100 and $750 per incident. Further, employers are also subject to a fine of between $2,500 and $7,500 from a competent authority in case of a breach under the CCPA.
Though the CCPA does not define “reasonable safeguards,” businesses can take guidance from a 2016 data breach report, which recommends a minimum of 20 measures identified in the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.
On the Horizon
Notwithstanding the temporary reprieve from AB-25, as of January 1, 2021, employers should expect to be fully compliant with the CCPA, including the access and deletion request requirements that allow consumers more control over their personal information.
The access and deletion request requirements would give workers the right to know whether their personal information is being disclosed or sold to third parties, to opt-out of the sale of their personal information, and to request a copy of all personal information the company has on file for them.
To comply, businesses should know what data they collect, how it is archived, how it is accessed, how it can be reported to individuals, and how it can be deleted if requested. Businesses should consider ways to limit the amount of information they collect so as to make compliance with the access-and-delete requirement less cumbersome.
Businesses should also assess their third-party vendor relationships to ensure they comply with the CCPA rules, lest they be held liable for the third-party vendor’s actions.
Businesses outside of California should follow what happens with the CCPA, because California often acts as a trendsetter for legislation, and other states could adopt similar privacy protections in the future.