Insights
Publications

Is your company covered by California's new privacy law?

November 22, 2019 Articles
North Bay Business Journal

On Jan. 1, 2020, the California Consumer Privacy Act (CCPA), a consumer-friendly privacy law inspired by the European Union’s General Data Protection Regulation, will take effect.

The CCPA is aimed towards bolstering consumers’ privacy rights by instituting notice, retention, security, and other requirements related to collecting consumers’ “personal information,” defined broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

For example, the CCPA potentially governs information collected from consumers for mailing and marketing lists, billing, satisfaction surveys, and other purposes.

Is your company covered?

To fall within the CCPA’s coverage, a for-profit business must meet only one of the following criteria: (1) annual gross revenues exceeding $25 million; (2) annual purchase, receipt for the business’s commercial purposes, sale, or sharing for commercial purposes, alone or in combination, of the personal information of 50,000 or more consumers, households, or devices; or (3) 50% or more of annual revenues derived from selling consumers’ personal information.

Any business (including a nonprofit) that does not directly meet one of the above-listed criteria may still be covered if it (1) controls or is controlled by, and (2) shares common branding with, a company meeting one of the above criteria.

Data collection notice requirements

The CCPA requires the disclosure of various information about data collection. Most notably, it calls for covered entities to notify consumers of “the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.” This information must be provided “at or before the point of collection.”

For example, covered entities that collect consumer information (such as names and contact information) for mailing or marketing lists must, at or before the time the information is collected, explain to consumers what information it is collecting and how it will be used. If the entity wants to later use that information for a previously undisclosed purpose, the entity must notify affected consumers of the new purpose.

In addition to notice regarding the information collected, the CCPA also requires the disclosure of a consumer’s rights to (1) request disclosure of the personal information collected; (2) opt-out from the sale of the data; (3) request that data be deleted; (4) non-discrimination for the exercise of privacy rights; and (5) use an authorized agent to make privacy-related requests of the covered entity.

For information collected through the entity’s website, CCPA-required disclosures would be provided in the entity’s website privacy policy. It is therefore critical that companies evaluate and update their posted privacy policies prior to the new year.

Liability for security breaches

The CCPA establishes liability for certain security breaches involving the “unauthorized access and exfiltration, theft, or disclosure” of consumers’ personal information. In the event of a covered breach, each affected individual can recover between $100 and $750 in statutory damages.

Thus, damages can add up pretty quickly in class action lawsuits. The breach must result from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

The CCPA does not define “reasonable security procedure and policies,” but California’s attorney general provided some guidance in its February 2016 California Data Breach Report. Thus, covered entities should review their information security policies and practices to reduce the risk of a breach.

Application to employment-related data

Although the CCPA is expressly directed at consumer privacy, it also has implications for employment-related data.

“Personal information” may encompass many categories of data collected from employees, applicants, or other personnel, such as contact information; Social Security numbers; education and employment history; bank and financial information; medical, insurance, or benefits information; family and dependent information; photographs or recordings; and internet or computer activity records.

Assembly Bill 25 delays most of the CCPA’s application to employment-related data until Jan. 1, 2021. However, on Jan. 1, 2020, two provisions relating to such data will take effect for covered employers: (1) data collection notice requirements and (2) liability for security breaches.

Thus, covered employers may want to (1) review all online and hard-copy forms used to collect personal information, such as employment applications, new hire paperwork, and benefits enrollment materials, to ensure they provide CCPA-compliant notice; (2) develop a general privacy notice for new hires explaining what categories of data will be collected during their employment and how the data will be used; (3) review and update internal policies concerning the collection and use of personal information; and (4) train employees regarding CCPA requirements.

And, as with all covered entities, employers should carefully review their information security policies and procedures, and coordinate with their IT and HR departments, to reduce the risk of a security breach.

California Consumer Privacy Act full text, here.

Firm Highlights

Publication

10 Tips for Mandatory Covid-19 Vaccination Policies

The Biden administration recently announced that it will be mandating Covid-19 vaccine policies for federal contractors and federal employees, as well as for employers with over 100 employees. This announcement, along with surging Delta...

Read More
Publication

Preparing Your Cannabis Business for California’s New Employment Laws in 2022

Chandra Andrade and Rebecca Stephens discuss "Preparing Your Cannabis Business for California’s New Employment Laws in 2022" at our Cannabis Industry Education Series. Each year in California, the new year brings new employment laws for businesses to...

Read More
Publication

Continuing Use of CGL Policies to Cover Data Breach Losses

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance...

Read More
Publication

hiQ’s Groundbreaking Injunction Against LinkedIn Reaffirmed: Scraping of Publicly Available Data Likely Does Not Violate CFAA

The U.S. Court of Appeals for the Ninth Circuit has affirmed its prior decision , holding that LinkedIn could not block hiQ, a scraping entity, from scraping public LinkedIn profiles. The court found it was...

Read More
News

Farella Braun + Martel Expands Employment Practice

Northern California legal powerhouse Farella Braun + Martel announces the addition of associates Jeffrey Briggs and JaeWook "Jerry" Lee to its growing employment law practice. Farella continues to invest in its employment practice to...

Read More
Publication

Preparing Your Organization for California's New Employment Laws in 2022

Chandra Andrade and Rebecca Stephens discuss "Preparing Your Organization for California’s New Employment Laws in 2022." Each year in California, the new year brings new employment laws for businesses to follow. This is a...

Read More
News

LinkedIn Loses Data Appeal

Erik Olson was quoted in the article "LinkedIn Loses Data Appeal" in CDR Magazine . In the article, Erik said: We are pleased to see that the Ninth Circuit has again affirmed, in light...

Read More
Publication

New California Employment Laws in 2022

The California Legislature passed and Governor Newsom signed several new or amended employment laws covering topics ranging from non-disparagement and separation agreements, the California Family Rights Act, and warehouse production quotas. Unless otherwise noted...

Read More
News

Janice Reicher Named a 2022 Leadership Council on Legal Diversity Fellow

Farella Braun + Martel is proud to announce that Janice Reicher has been named a member of the 2022 class of Leadership Council on Legal Diversity (LCLD) Fellows. Janice joins a select group of...

Read More
Publication

Preparing Your Wine Business for California's New 2022 Employment Laws

Farella employment lawyers Chandra Andrade and Rebecca Stephens discuss California's new employment laws affecting wine businesses, what to look for, and what to do next, including: Template employment document updates in light of amendments to...

Read More