Commencing January 01, 2020, the California Consumer Privacy Act of 2018 ("CCPA") requires businesses that collect personal information of California residents to inform those residents of the personal information it is collecting and/or has collected and to the disclose purpose(s) for said collection.
At first blush, this may appear to apply to only a small segment of businesses which collect and/or sell consumer data such as those involved in e-commerce or marketing; however, the CCPA defined "business," "personal information," and "consumer" broadly, and as such, it is likely to have a substantial impact on many unsuspecting businesses who are required to comply with the CCPA. For example, a for-profit business which conducts business in California and has annual gross revenue in excess of $25,000,000 will likely need to comply with the CCPA.
In order to avoid being involved in CCPA litigation, answers to some frequently asked questions about the CCPA are provided below.
Does My Business Have to Comply with the California Consumer Privacy Act?
It depends; however, as mentioned above, if you are a for-profit business which conducts business in California and have annual gross revenue in excess of $25,000,000, there is a very strong likelihood the CCPA applies to you.
The CCPA is applicable to any "business" which meets the following four (4) factors:
(1) It is a for-profit business;
(2) It does business in California;
(3) It collects "personal information" from California residents; and
(4) It meets one of the following thresholds:
a. Has Annual gross revenue in excess of $25,000,000
b. Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices; or
c. Derives at least 50% of its annual revenue from selling consumers' personal information.
While the second and third are a bit esoteric, the first highlighted threshold relies exclusively on gross revenue (i.e. gross receipts before expenses) as opposed to revenue from sale or distribution of personal information and drags many businesses under the CCPA's authority that do not engage in the selling or sharing of consumer personal information.
At a minimum, if there is a possibility a business' annual gross revenue will approach $25,000,000, it is important to understand the CCPA and take preventative measures now to avoid costly litigation later.
I Do Not Collect My Customer's Personal Information, Does the CCPA Still Apply?
While the CCPA would apply to a business which collects California residents' personal information (such as a credit card on file or a customer list), the CCPA refers to "consumers," not customers, and defines "consumer" broadly to be "a natural person who is a California resident." In fact, the only meaningful limitations on consumer is that the consumer be a natural person (i.e. not an entity) and a resident of California.
Since CCPA "consumers" are any natural persons that are residents of California, in the employment context, consumers can include applicants, employees, contractors, directors, and officers.
What Constitutes Personal Information Under the CCPA?
"Personal Information" under the CCPA is :
Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular household:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The CCPA Applies to Employees, Job Applicants, Independent Contractors, etc.
While any of the aforementioned categories of personal information can be involved in an employment relationship, those highlighted above are particularly likely to be used in the employment context. For example, if a business maintains records of their employee's full name, address or social security number, a fingerprint for clocking-in and -out, have computers which track browser history, maintain GPS on company vehicles or phones, or keep resumes of applicants or employees, that is likely the collection of personal information subject to CCPA.
Any business with California employees likely collects "personal information" since they retain personal information of employees for payroll, so if an entity qualifies as a CCPA business, it is important to understand what personal information is being collected and how it is being used so a proper notice may be prepared and distributed to the appropriate consumers. The CCPA also applies to personal information that is collected for job applicants, temporary staffing employees, and independent contractors.
My Business Only Keeps Hardcopies and Does Not Use a Computer, Does the CCPA Still Apply?
Yes, assuming it is a qualifying "business," "consumer," and "personal information," the CCPA still applies to hard copies as well as electronic copies.
The CCPA specifically states, "The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers."
Accordingly, whether the business is completely digital, mixed, or uses entirely offline hardcopies, the CCPA still applies assuming the other aforementioned tests are met.
Under the CCPA, My Business Maintains Personal Information of Consumers; What Is Required of My Business to Comply with the CCPA?
The CCPA vests consumers with the following fundamental rights:
(1) Right to Notice of the personal information collected by businesses;
(2) Right to Notice of the disclosure or sale of personal information including to whom it is disclosed/sold;
(3) Right to say no to the sale of personal information;
(4) Right to access their personal information; and
(5) Right not to be discriminated against for exercising rights under the CCPA.
Assembly Bill 25 (2019) exempts CCPA businesses collecting personal information used solely within the context of the consumer's role or former role as an applicant, employee, contractor, director, and/or officer from much of the CCPA until January 01, 2021. However, the aforementioned businesses must still provide notice of the personal information they collect as well as the purpose for the collection at or before the point of collection as required under the CCPA by January 01, 2020.
What Happens If My Business Fails to Provide Requisite CCPA Notice to Employees?
There are potentially two (2) types of exposure for violations of the CCPA. The first is a private cause of action by a consumer, and the second is a lawsuit brought by the California Attorney General.
The private cause of action provides for damages between $100 and $750 per incident or actual damages, whichever is greater, injunctive relief, and any other relief the court deems proper for "[a]ny consumer whose nonencrypted or nonredacted personal information...is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Notably, a consumer may sue for a breach even if there are no damages. "Incident" is not defined under the CCPA, so it is unclear if a single incident of theft of 100 employee's records for four years who receive weekly paystubs would be 20,800 violations (100 employees x 52 weeks/year x 4 years = 20,800) resulting in exposure of $2,080,000 to $15,600,000 or 100 violations resulting in exposure of $10,000 to $75,000.
The California Attorney General may initiate a cause of action after a business fails to cure any alleged violation of the CCPA within 30 days, and the business may be subject to injunctive relief and liable for civil penalties of not more than $2,500 for each violation or $7,500 for each intentional violation.
What Can I Do to Protect My Business?
While still in its infancy, it is clear the CCPA has created a significant potential for liability for entities doing business in California, particularly those that have revenue in excess of $25,000,000.
The best method to protect your business is to be proactive and ensure proper notice is ready by January 01, 2020, so that you may stay in compliance. While this discussion addresses general CCPA topics, legal advice to navigate this complex law is strongly recommended. In light of the CCPA, companies should also consider updating their document retention policies.
If your business is considering creating or revising your employee handbook to comport with new laws such as the extension of the Paid Family Leave Act, expansion of lactation accommodations, or inclusion of prohibition of hairstyle discrimination, or you're just looking for assistance in your CCPA compliance efforts, Sagaser, Watkins & Wieland PC is available to assist you with your employment law needs.