As part of our blog series, we share some of the most frequently asked questions that we receive from organizations across different industries regarding data privacy and security, and more specifically GDPR and CCPA. This is the second FAQ in our series.
Even though the California Consumer Privacy Act (“CCPA”) will be effective January 1, 2020, the time to plan for compliance is now. It may seem as though you have plenty of time to prepare but it is a mistake to not start preparing. Indeed with the twelve-month lookback provisions, companies must have proper records of personal information that they collected as of January 1, 2019.
Under the CCPA, individuals have various new rights that must be detailed in a company’s just in time privacy notice (a new requirement under the Attorney General’s proposed regulations) and a company’s privacy policy, including the right to access their information, to request deletion of their information, to be informed of certain transfers of their information, to opt-out (if over 16) of or opt-in (if under 16) to sales of their information, and receive equal service and price even if they exercise their rights.
There are many nuanced questions to consider that may not be apparent on a cursory read of the CCPA or the proposed Attorney General regulations. Some basic common questions arise when companies first hear about the CCPA, as follows.
Does the CCPA really apply to my small business?
The CCPA applies to businesses (and their parent and subsidiaries) that process information of California residents and have annual gross revenue exceeding $25 million or derive more than 50% of its revenue from sales of personal information. The CCPA also applies to businesses that handle personal information of 50,000 or more consumers, households, or devices. Setting aside the question as to how to allocate and account for information of a single household with multiple individuals, the CCPA would apply to businesses that collect information and have only 137 unique users a day. A typical website alone will easily meet this prong thereby becoming subject to the CCPA.
My business does not have an office in California, so am I still subject to the CCPA?
The CCPA applies to businesses that collect information from a “natural person who is a California resident,” meaning an individual in California other than for a temporary or transitory purpose (e.g. a tax paying resident) and every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose (e.g. if a California resident is on vacation in Hawaii). A business with no offices or connections to California that does not collect information from any California resident may not be subject to the CCPA.
I don’t think we really collect personal information. Does the CCPA apply?
Keep in mind that the CCPA defines personal information extremely broadly. Under the CCPA, personal information is data that is capable of being associated with a consumer or household, including, IP addresses, cookies, beacons and pixel tags that can be used to recognize a data subject, probabilistic identifiers, and gait patterns. If you have a “Contact Us” form on your website, you take résumés for job postings or if your website tracks cookies, you are collecting personal information.
We do not collect personal information online, only offline. Does the CCPA apply?
Yes, the CCPA applies with respect to both online and offline personal information. If you operate a retail store, and take payments or have a ledger of purchases, you are collecting personal information. Indeed the Attorney General’s proposed regulations clearly indicate that brick and mortar companies must offer privacy policies on site or refer customers to where they can be found.
But the information we collect is all public. How is that information addressed?
There is a very limited exception for publicly available information. Publicly available information is information that is available from government records. So even if an individual’s corporate email address can be found on another website, if you collect that email address on your website that information falls within the scope of the CCPA.
My business is a non-profit. How does the CCPA affect me?
Even if you are a non-profit entity that is not a “business” subject to the CCPA alone, certain non-profit subsidiaries of for-profit businesses may mean that your non-profit must comply with the CCPA. Additionally, your service providers are likely subject to the CCPA and you must ensure that they comply with the CCPA.
Who are consumers under the CCPA? Are employees covered?
A “consumer” under the CCPA is defined broadly. A consumer is not only a customer or user of your services, products or websites. Your employees are also consumers – for now. This is a shift from the norm of having a company policy that indicates there is no expectation of privacy in the workplace. Companies need to prepare internal privacy policies for their employees and provide their employees with the rights under the CCPA. Employers had hoped that certain amendments to CCPA, notably AB 25, would completely remove employee data from the scope of CCPA and pass through committee without modification for final Senate approval. But in July, 2019, the California Senate Judiciary Committee advanced AB 25 with changes, which means that employers still will have to grapple with their handling of employee data under CCPA.
AB 25 provides a one year hold for 2020 on CCPA’s application of many of its provisions to the personal information of employees, contractors, and job applicants. This hold is limited and only applies when the employer uses the data in the scope of its employment relationship for employment purposes. Any use by an employer outside the scope of the strict employment relationship would remain covered under CCPA. For example, if an employer allowed its insurance company to collect employee data in order to market other insurance services to those individuals, this would be subject to CCPA.
Employers must still notify employees, contractors and job applicants of the personal information that they collect and how they use it in a privacy policy. Such employee data will also fall within the purview of CCPA’s private right of action for data breaches resulting from the failure to implement reasonable security measures.
Why do I have to prepare now?
The recordkeeping requirements require companies to have detailed records that are organized based on the CCPA’s categories with respect to personal information dating back to January 1, 2019. Detailed records and data maps must be prepared now to meet the CCPA’s recordkeeping obligations. Companies should inventory the information that they have collected since January 1, 2019. Businesses must publish their new privacy notices, updated privacy policies and include the “Do Not Sell My Personal Information” link (if required) by the time that the CCPA is effective. Businesses must have proper agreements with their service providers and have systems, policies, and procedures in place to manage user rights and update their privacy policies annually.