Five Things Business Owners Need To Know About California’s New Privacy Laws Posted January 21, 2020
The California Consumer Privacy Act (CCPA) is a comprehensive set of statutory amendments that create substantial new burdens regarding the collection and use of individuals’ personal information. The law protects “consumers” – basically, any California resident, which means the law applies to businesses outside California who provide products or services to California residents. A company covered by the law must tell consumers how the company uses their personal information, and the company may have to delete the consumers’ information on request. Here are five things you need to know, and one bit of good news:
The CCPA covers companies that do business in California and have total revenues over $25 million, or handle personal info received from more than 50,000 consumers, households, or devices per year. For example, the law potentially would apply to a business that, in 2020, services 1,000 customers, logs 2,000 social media followers, uses a postal mailing list with 10,000 names, and maintains a website that counts 37,000 unique visits. It also applies to any company of any size that derives more than 50 percent of its revenue from selling consumers’ personal information.
The CCPA covers ALL personal information a business collects about consumers, including information collected from the consumers themselves: names, postal and email addresses, phone numbers, bank or credit card account information, and past purchases. It doesn’t apply to non-personal Internet data (such as browsing history) automatically collected by your website.
If you are subject to the law, consumers can send you a disclosure request. In response, you have to tell them what information you have collected about them and what you have done with it. Consumers also have “the right to be forgotten”; you have to delete their information on request, unless you are legally required to maintain it. Businesses subject to the law must establish procedures and train staff on how to handle these requests.
Businesses subject to the law must include information in their online Privacy Policies about how to submit disclosure and delete requests. The online policy must include a notice that the business will not charge or discriminate against a consumer for submitting the request.
Noncompliance with the CCPA subjects a business to penalties in an enforcement action brought by the California Attorney General. The CCPA does not appear to give individual consumers the right to sue for violations of the law but the language of the CCPA is not entirely clear on that point. In the lawsuit-prone culture of California, businesses cannot assume they are safe without addressing these issues.
One bit of good news for California employers: the CCPA does not apply to information collected from employees or job applicants – for the moment! This exception expires at the end of 2020, which is intended to provide the legislature with a meaningful opportunity to determine how to balance the requirements of the CCPA with the obligation to maintain employee records. Stay tuned for further information about how employee records will be handled in 2021 and beyond.
For more information about complying with the CCPA, or other questions about intellectual property or employment law, please contact the attorneys at LightGabler.