The California Consumer Privacy Act (CCPA) is the state’s law that provides Californians with certain rights concerning the way in which businesses use their personal information.
The CCPA exemptions for employee and business-to-business (B2B) personal information haven’t been extended, so California businesses must be ready to provide a number of new privacy rights to employees as of January 1, 2023.
Companies that do business for-profit in California must follow the CCPA, regardless of whether they are incorporated or have a location in the state. These businesses will be subject to the CCPA if they meet one or more of the following threshold requirements:
- Annual gross revenue in excess of $25 million;
- Annually buys, sells, or shares the personal information of 100,000 or more consumers; or
- Derive 50% or more of annual revenue from selling the personal information of consumers.
When Does the CCPA Go into Effect?
Governor Gavin Newsom signed AB 25 into law in October 2019 which gave businesses some temporary relief by exempting personal information that’s collected in certain employment contexts and in a business-to-business (B2B) context from the scope of the CCPA until the start of last year. Newsom subsequently signed AB 1281 into law in September 2020, which provided a one-year extension to the partial employee and B2B exemptions until January of this year, applicable only in the event that the California Privacy Rights Act (CPRA) ballot initiative failed.
However, when the CPRA was approved in the 2020 election, the exemptions were again extended until January 1, 2023. The California legislature adjourned without extending the exemptions; as a result, they will expire on January 1, 2023 in concert with the effective date of the CPRA.
What are the New Requirements under the CPRA for Personal Information Collection?
The CPRA has expanded consumer rights and will now grant the right to know and access, the right to deletion, and the right to correction of personal information. Specifically, the key new requirements include the following:
The CPRA broadens the scope of behavior covered by the law by amending all mentions of “selling” to include “sharing.” The Act defines “share,” “shared,” or “sharing” as:
[S[haring, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
Where a business engages in sharing, it must post a link titled “Do Not Sell/Do Not Share My Personal Information” and give consumers an opportunity to opt out of sharing.
The amendment also adds the term “sensitive personal information,” which will require California businesses to provide consumers or their authorized agents with easily accessible means to allow consumers and their children “to obtain their personal information, to delete it or correct it, to opt out of its sale and sharing across business platforms, services, businesses, and devices, and to limit the use of their sensitive personal information.”
The CPRA introduces new data minimization and data retention requirements. Businesses must not collect more personal information than is necessary and cannot keep personal information for longer than is reasonably necessary for disclosed purposes.
Are There Still Exemptions to the Applicability of the CPRA?
The CCPA has a partial employee exemption for personal information collected by a business about a person who was either a job applicant or past/current employee or in an otherwise related position. This includes the following positions:
- Owners;
- Directors;
- Officers;
- Contractors; and
- Beneficiaries/dependents.
The exemption is limited to when the business used the information provided “solely within the context” of employment actions. This B2B exemption applies to personal information of employees or business contacts that a company collected to assist in providing or receiving a product or service to and from another business.
What Must California Companies Do with Employee Data and Personal Information Collected in a Business Context?
Personal information collected in some employee circumstances and in a B2B context will now be subject to the requirements of the CPRA. California businesses must now consider their data privacy compliance efforts. This should include:
- Determining whether the CPRA applies to your company.
- Add consumer request forms so that consumers can exercise their enhanced rights and make specific requests about their personal data.
- Add a “Do Not Sell/Do Not Share My Personal Information” notice.
- Perform a data inventory to determine the types of information your business collects and if you gather sensitive personal information. Ascertain the companies with which you share data, where it’s retained, and how it’s transferred.
- Schedule regular audits to review and improve data mapping activities, including monitoring and protection of sensitive personal information.
- Look at the CPRA's amended contractual terms and be ready to amend your contracts with service providers, contractors, and third parties.
- See if your suppliers have acceptable data privacy safeguards in accordance with the CCPA’s requirements.
- Update your company’s privacy policy to describe customer rights
- Update employee, job applicant and other privacy notices and disclosures to incorporate personal information collected in an employment and B2B context.
- Be prepared to disclose a full text privacy notice to employees with the following information:
- The categories of sensitive personal information and personal information the company collects and processes;
- The purposes for the processing;
- The retention period by category of personal information;
- The description of the available consumer rights; and
- How people can exercise these rights.
Takeaway
California businesses will need to develop, review, and update their data retention policies and procedures.
With January 1, 2023 around the corner, your company must make sure it’s ready for the CCPA. If you have any questions about how to prepare your business to comply with the onerous requirements of the CPRA, Eanet, PC can help.