by Alexandra Saddik and Jonathan Babione

Over the past several years, businesses have faced increased scrutiny with regard to how they protect personal information collected from individuals. California’s legislative response to this issue was to overhaul its existing network of privacy laws by passing the California Consumer Privacy Act (CCPA). This new privacy framework became effective January 1, 2020 and expands the rights that California residents (referred to as consumers) have with regards to their personal information.

Who Does the CCPA Apply To?

The CCPA applies to businesses that do business in California and to which one of the following apply:

  1. The gross annual revenue of the business exceeds $25 million.
  2. At least 50% of a business’ annual revenues derive from the sale of personal information. This also covers smaller businesses who do not deal in personal information but happen to collect it as a part of their regular operations.
  3. The business buys, receives for commercial purposes, sells, or shares for commercial purposes the personal information of at least 50,000 consumers, households, or devices.

The definition of a “business” that is subject to the CCPA is very broad. Under this definition the CCPA applies to businesses who are physically located out of state if they do business in California. Additionally, due to the scope of the business definition, businesses that otherwise would not have had potential privacy issues to address may need to set up a comprehensive and potentially costly system for accommodating consumer rights to comply with the CCPA.

Furthermore, businesses that share branding, are controlled by, or control a business that falls within the scope of the CCPA themselves must adhere to the CCPA. In other words, a business not only needs to determine whether it falls under the scope of the CCPA, but also determine whether its relationships with other entities puts it under the scope of the CCPA.

What Does the CCPA Require?

Under the CCPA, consumers have the right to the following:

  • Access: A consumer is entitled to access to personal information the business collected about the consumer. Businesses have 10 days to acknowledge receipt of a request to access personal information and 45 days to respond to it.
  • Notice at collection: The notice requirement in the CCPA consists of multiple prongs. First, consumers have a right to notice at collection, which means that the business needs to inform the consumer at or before the point of collection, that it is collecting the consumer’s personal information. The notice at collection should include what type of personal information is specifically being collected.
  • A comprehensive privacy policy: Under the CCPA, a business must provide a detailed privacy policy that describes:
    • the rights consumers have under the CCPA;
    • the type of personal information the business collected;
    • who shared the personal information with the business;
    • who the business will be sharing the personal information with;
    • any financial incentives to consumers who allow collection, retention, or the sale of personal information;
    • any rights to opt out of the sale of personal information; and
    • how consumers may submit requests pertaining to their personal information.
  • Opt-out: If a business sells personal information, consumers have a right to opt-out. Businesses must not only predominantly post the notice of a consumer’s right to opt-out, but also provide a clear means for the consumer to do so.
  • Deletion of personal information: A consumer is entitled to demand that a business delete personal information collected about the consumer.  Businesses must confirm receipt of such a request from the consumer within 10 days and respond to the request within 45 days.

Notably, the personal information of employees is not entitled to the same level of protection. To comply with the CCPA for employee personal information, employers only need to notify employees of:

  1. All the categories of personal information being collected; and
  2. All the purposes for which the information will be used.

Additionally, employers must implement reasonable physical and electronic security measures to safeguard the personal information of both job applicants and employees. The way employee information is treated will change in the next year. If no further changes are made, employees will have the same protection as other consumers under the CCPA effective January 1, 2021.

What Happens if A Business Violates the CCPA?

The consequences of violating the CCPA not only include penalties and fines from the California Attorney General’s office, but also potential private right of actions from consumers if there is a data breach.

What Should Businesses Do to Ensure Compliance With the CCPA?

Businesses that are subject to the CCPA need to reassess their current privacy policy and methods of managing personal information and reorganize their existing infrastructure to ensure that the consumer rights listed under the CCPA are respected. In order to ensure compliance as soon as possible, businesses must:

  • Map out the type of personal data being collected;
  • Conduct a security audit to ensure that the safeguards are adequate, update or create privacy policies that incorporate the rights consumers have under the CCPA;
  • Update any websites to satisfy the notice and opt-out requirements;
  • Create a procedure to allow consumers to request access to their personal data and/or deletion of their personal data; and
  • For employees and job applicants, create clear disclosures that satisfy the notice requirements.

Ferber Law is ready to assist you with any questions you may have about the steps your business may need to take to adhere to the CCPA.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.