What California's consumer privacy act means for employers

CCPA isn't just for employers in California; companies both inside and outside of the state will be affected by its requirements.

The California Consumer Privacy Act (CCPA), which was signed into law in June 2018 by Governor Jerry Brown, is the first United States law following in the footsteps of GDPR (Image: istock)

If your business just completed the frustrating task of complying with (or getting close to complying with) the European Union’s General Data Protection Regulation (GDPR), or your business escaped compliance with GDPR, the State of California has thrown you a curveball.

The California Consumer Privacy Act (CCPA), which was signed into law in June 2018 by Governor Jerry Brown, is the first United States law following in the footsteps of GDPR. And before you assume that the CCPA will not affect you because your business is not located in California, know that companies both inside and outside of California will be affected by its the requirements.

Related: Insurance companies and the Fourth Industrial Revolution: Privacy and security risks

The CCPA took effect immediately upon Governor Brown signing the law. However, the requirements will not go into effect until Jan. 1, 2020. Additionally, the CCPA requires that the California Attorney General publish regulations between Jan. 1, 2020, and July 2, 2020. Finally, if that wasn’t complicated enough, the Attorney General is precluded from bringing an enforcement action under the CCPA until the earlier of six months after the final regulations are published, and July 1, 2020. At this point, businesses must hope that the final regulations are published well in advance of July 1, 2020, so they can fully prepare for implementation of the many requirements.

What follows is a short summary of the CCPA, and how it will affect businesses with exposure to California residents.

What individuals have rights under the CCPA?

The CCPA extends the protections and rights thereunder to California residents, which is defined as any natural person “enjoying the benefit and protection of laws and government” of California who is in California “for other than a temporary or transitory purpose” or “domiciled” in California but “outside the State for a temporary or transitory purpose.”

What businesses are subject to the CCPA?

Briefly, the CCPA applies to for-profit entities that both collect and process the Personal Information of California residents and do business in the State of California. However, a physical presence in California is not a requirement, and it appears that making sales in the state would be sufficient. Additionally, the business must meet at least one of the following criteria in order for the CCPA to apply:

Nonprofit businesses, as well as companies that don’t meet any of the three above thresholds, are not required to comply with the CCPA.

What is “personal information” under the CCPA?

Much like the GDPR, the CCPA includes a broad definition of “personal information,” much broader than typical privacy-related laws normally seen in the United States. “Personal information” is defined under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The addition of the term “household” adds a dimension to a privacy law that is largely uncharted territory. Specifically, information collected by a business does not have to be associated with a name or specific individual, but rather can identify a household.

The definition of “personal information” under the CCPA also lists a wide range of standard examples that includes Social Security numbers, drivers’ license numbers and purchase histories, but also “unique personal identifiers” such as device identifiers and other online tracking technologies.

The CCPA excludes information that is publicly available, which is defined as information that is “lawfully made available from federal, state, or local government records, if any conditions associated with such information,” but excludes biometric information collected without the consumer’s knowledge and personal information used for a purpose different from the one for which the information is maintained and made available in the government records or otherwise publicly maintained.

The CCPA also excludes aggregated or de-identified data, as well as medical or health information collected by a person or entity governed by California’s Confidentiality of Medical Information Act or HIPAA.

 What new rights are given to consumers?

The CCPA provides consumers with more control over their personal information in four ways:

Disclosure responsibilities

Increased disclosure will be a large part of compliance. Businesses subject to the CCPA will need to proactively explain privacy notices to consumers when personal information is collected. That includes informing consumers of their rights under the CCPA, the categories of personal information collected, the ways that personal information is used, and the categories of personal information the business has sold to third parties in the last year. These disclosures must be updated every 12 months.

 Private right of action

Opening the door to a potential flood of litigation, the CCPA provides consumers a private right of action if their personal information “is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Consumers can file individual or class action lawsuits, and can recover between $100 to $750 in statutory damages per incident, or actual damages. The CCPA also allows consumers to seek injunctive and other forms of relief, and sets out different procedures for actions seeking actual versus statutory damages.

Penalties for noncompliance

Businesses that fail to comply with the CCPA are subject to civil penalties of up to $2,500 per violation and $7,500 per intentional violation. Once notified of a violation by the attorney general, companies have 30 days to come into compliance in order to avoid penalties, although it is difficult to see how that would apply to a data breach occurrence.

How to prepare

The CCPA has already been amended once, and may go through additional updates before it takes effect, but businesses should start to prepare now. Privacy notices, other policies and procedures, and websites will need to be updated before the CCPA takes effect. At the very least, a business should start mapping the personal information that it collects and locations where personal information is stored so it can promptly meet any request under the CCPA.


Read more:


Mark G. McCreary is the Chief Privacy Officer and Co-Chair of the Privacy and Data Security Practice at Fox Rothschild in Philadelphia.