In late 2018 the California legislature passed the California Consumer Privacy Act ("CCPA") that provides comprehensive privacy protections to give consumers "significantly more control over their information." This complex law provides consumers the right to know what personal information about them is collected, sold, or used by a business. It gives the consumer the right to have their information deleted, and a business that collects personal information must provide the consumer notice of these rights. Businesses must have the procedures and personnel to implement the procedures mandated by the CCPA. The CCPA provides consumers a private right of action and the AG the authority to impose a per violation fine. Businesses must be compliant with the CCPA by January 1, 2020. This article focuses on employers' obligations to their employees and applicants for employment.
Does CCPA Apply to My Business?
The CCPA has broad application. First, the business must be a for-profit entity doing business in California and meet one or more of the following thresholds:
- Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
- Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50% or more of its annual revenues from selling consumers' personal information.
How Does CCPA Generally Relate to Employees or Job Applicants?
The CCPA requires that businesses must disclose to job applicants, employees, owners, independent contractors, emergency contacts, and welfare plan beneficiaries, the categories of personal information the business has collected concerning them and the business purpose for collecting the information.
Consumers can request that the business provide them this information through verified requests.
Upon receipt of a verified request from a consumer, not including employees, a business must disclose the following concerning the personal information for the previous 12 months from the date of the request:
- categories of information collected;
- source of the information;
- business or purpose for collecting the information;
- categories of third parties with whom the information was shared; and
- specific pieces of information collected about the consumer.
The information must be delivered to the consumer within 45 days of the request. The period can be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice.
Failure to do so can result in a lawsuit — including class actions. The recoverable damages under the CCPA include not less than one-hundred dollars and not more than seven hundred and fifty dollars per consumer per incident or actual damages, whatever is greater. Injunction or declaratory relief also is available. Be sure to get legal advice on compliance if this complicated law applies to your organization!
Ogletree Deakins is a partner of California Employers Association.