California Consumer Privacy Act (CCPA)
by Gerald Sauer
The new year has brought with it many changes in the law that affect employers and employees in California. One of those laws, the California Consumer Privacy Act (CCPA), became effective January 1, 2020 and will be enforced starting July 1, 2020. The law, enacted in 2018, requires for-profit businesses (including most employers) to disclose to consumers (including employees) certain categories of data collected by the business and requires the deletion of data upon request by the consumer.
Employers are exempt from some of the law’s provisions until January 1, 2021. Here is a guide to help employers determine if the CCPA applies to them and how it will impact their business in the next year:
What is a covered entity?
The CCPA applies to any for-profit business who meets these criteria:
Applicants, employees, and independent contractors have a right to request (1) that the business tell them what personal information it has collected, sold, or disclosed, and to whom; (2) that the business delete their personal information; (3) a copy of the information that has been collected, sold, or disclosed; and (4) to opt out of the sale of their personal information. Employees may not be retaliated against for exercising these rights.
- Has annual gross revenues in excess of $25 million; OR
- “Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;” OR
- “Derives 50 percent or more of its annual revenues from selling consumers’ personal information.”
A “consumer” is any “natural person who is a California resident,” which includes a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.”
How will this impact covered employers starting January 1, 2020?
- Covered employers must provide notice of the type of data collected from their employees and customers and the purpose of the collection. Data is defined broadly to include “professional or employment related information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” and “geolocation data.”
- A private right of action (on an individual or class-wide basis) allows recovery of statutory damages ranging from $100-$750 per employee per incident for any unauthorized disclosure or access to the data.
- Applicants, employees, and independent contractors have a right to request (1) that the business tell them what personal information it has collected, sold, or disclosed, and to whom; (2) that the business delete their personal information; (3) a copy of the information that has been collected, sold, or disclosed; and (4) to opt out of the sale of their personal information. Employees may not be retaliated against for exercising these rights.
Employers do not have to delete data that is maintained solely for internal uses reasonably in line with the purpose for which it was collected (i.e. human resources or other employment-related purposes), or if required to comply with a legal obligation. Given that California employment laws require maintenance of employment records for at least three or four years, the deletion will not be required for most applicant, employee, and independent contractor data otherwise subject to the CCPA’s protections.
If you have any questions about compliance with the CCPA, please contact us.