California Consumer Privacy Act (“CCPA”)
The California Consumer Privacy Act (“CCPA”) takes effect January 1, 2020 and is similar to the European Union’s General Data Protection Regulation (GDPR). The CCPA requires transparency from businesses regarding their collection and usage of personal information, and provides California consumers certain rights with respect to their data.
To Whom Does the CCPA Apply?
Businesses will be subject to the CCPA if they meet the following requirements:
- have gross annual revenues in excess of $25 million;
- buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices annually; or
- derives 50 percent or more of annual revenues from selling consumers’ personal information.
What Does the CCPA Require?
Businesses subject to the CCPA will be required to provide California consumers with a notice “at or before the point of collection” that details the following two items:
- The categories of personal information that the business will collect about them; and
- The purposes for which the personal information will be used.
Businesses may provide this notice as a part of their website’s privacy policy, which must be updated every 12 months. The notice must also communicate if personal information is shared or sold, and if so, what personal information was disclosed.
Subject to certain exceptions, under the CCPA California
consumers have certain rights with respect to their data. Upon a verifiable
request, consumers may exercise their rights to access the information
collected by the business, can request that their information be deleted, and
have the right to opt out of the sale of their personal information.
Among other requirements, businesses subject to the CCPA must make available two methods for submitting a consumer request, including a toll-free number. Additionally, the subject business must post a clear and conspicuous “Do Not Sell My Personal Information” link on their website homepage (or on a specific page for California consumers), that links to a webpage that enables consumers to opt out of the sale of their personal information. Training and procedures are required for employees fielding these requests, and businesses are prevented from discriminating when handling the request.
Does the CCPA Apply to my Employees?
Under AB 25, the California legislature largely exempted employees from the CCPA, yet the bill still requires that covered employers provide employees with privacy policies. The CCPA does not clearly state what must be included in the privacy policy, and the Attorney General’s draft regulations are the only official guidance on how to draft and implement CCPA-compliant employee privacy policies. From those draft regulations it appears that, at a minimum, employee privacy policies must contain:
- a description of the categories of personal information to be collected, and
- the purpose(s) for which the disclosed categories of personal information will be used.
Generally speaking, businesses subject to the CCPA will want to closely mirror their privacy policies for both consumers and their employees.
What are the Penalties for Violating the CCPA?
The CCPA can be regulated and enforced by the California Attorney General. Civil penalties can be up to $2,500 per violation, with the penalty for intentional violations up to $7,500 per violation. Importantly, the Act also provides a private right of action for consumers.
Conclusion
Data privacy continues to be a major concern. Businesses would be wise to take note of the CCPA requirements, regardless of whether the CCPA applies. Currently, proposed federal legislation, similar to that of the CCPA, is making its way through congress. Complying with the CCPA now may help with future federal compliance. Business with questions on whether the CCPA applies, or how the business can comply with the CCPA, should consult legal counsel before the January 1 deadline.
The attorneys at Carmel & Naccasha have extensive experience advising businesses clients in data privacy and protection.
Visit the Morris & Garritano Insurance newsletter for more information.
Contact Legal Professional
The information provided herein does not, and is not intended to, constitute legal advice; instead all information, content, and materials are for general informational purposes only.
If you have any questions, please contact Carmel & Naccasha, and for more details, read our full disclaimer.
