Here's what you need to know.
- 1. What is the CCPA?
- 2. Consumer Notifications
- 2.1.1. Consumer Rights Under the CCPA
- 2.1.2. Data Types You Handle
- 2.2. "Do Not Sell My Personal Information"
- 3. Business & Employment Notifications
- 3.1. Business-to-Business Notifications
- 3.1.1. An Exemption
- 3.1.2. Preparation
- 3.2. Employment Notifications
- 3.2.1. An Exemption
- 3.2.2. Preparation
- 4. Summary
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a piece of state legislation that can affect businesses across the US and the rest of the world. It's designed to uphold and protect a series of privacy rights for consumers in California.
What isn't so widely appreciated is that the law also protects those consumers in their professional lives. A year after the CCPA changes business-to-consumer rules it will introduce new requirements for handling personal data about staff, contractors and business customers.
In both cases, the CCPA broadly says you must inform people what personal data you collect about them. You don't need advance consent to collect the data, though consumers do have the right to opt out of you selling their data.
The CCPA applies to any business that serves Californian residents and meets one of three thresholds:
- Has at least $25 million in annual revenue
- Processes personal data relating to more than 50,000 people (or households or devices)
- Revenue from selling personal data makes up more than 50 percent of annual revenue
As well as outlining broad privacy principles, the CCPA lays down some specific measures for notifying consumers about their rights and your data handling practices. The rules took effect in 1 January 2020 but can cover information collected before this.
This is what you need to publish.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
The notice must cover six points:
- What rights California consumers have under the CCPA
- How they can exercise those rights (including any necessary contact details)
- The types of personal data you've collected about consumers over the previous 12 months
- The types of personal data you've sold over the previous 12 months
- The types of personal data you've disclosed to third parties over the previous 12 months
- A link to a "Do Not Sell My Personal Information" page
Here's some further detail:
Consumer Rights Under the CCPA
You must inform consumers that they have the right to:
- Know what personal information you collect
- Know if you sell or disclose their personal information
- Opt-out of you selling it
- Access their personal data
- Not be discriminated against for exercising privacy rights
This extract is from Hotel Cerro's Privacy Notice to its Californian customers, which details the rights and how to exercise them:
This clause does a good job of informing readers what their rights are, and what exactly that means for them. It clearly lists out everything that will be disclosed to users to make a consumer request to exercise their rights.
Data Types You Handle
When you list the types of personal data you've handled, you must do so using 11 designated categories. The precise definitions are listed in the CCPA itself, but in summary they are as follows:
- Names, numbers and addresses that identify an individual
- Anything classed as "personal information" under California law before the CCPA took effect
- Anything related to "protected classifications" (in other words characteristics such as gender or disability over which employers can't discriminate)
- Commercial information
- Biometric information
- Internet activity
- Geolocation data
- Audio, visual, electronic and similar information
- Employment information
- Education information
- Profiling data (things you'd inferred about somebody from other data, for example their attitudes or preferences)
This example from Horne LLP shows how to detail sharing and disclosure using the categories system:
Note how it explicitly lists the category letters, which is helpful in that it references the actual law. It also includes a brief description that's easy to understand. There's also a simple statement that the company has not sold any personal information in the preceding 12 months.
"Do Not Sell My Personal Information"
The CCPA doesn't set down a title for the opt-out page itself, but the links must use the wording "Do Not Sell My Personal Information."
The most common way to comply with the CCPA here is for the opt-out page to include business contact details as Adler Weiner has done in this example:
Some businesses will include an online form where consumers can provide their details and confirm they want to opt-out.
Note that you can't force consumers to create an online account in order to give you the opt-out request. In some cases, you may be required to have a toll-free phone number where users can contact you to opt out.
Business & Employment Notifications
Several elements of the CCPA were put on hold through an amendment process that took place between the bill being passed and the law taking effect. This process involved creating several time-limited exemptions designed to reduce the burden on businesses when the CCPA takes effect in 2020.
These exemptions are scheduled to expire on 1 January 2021. Because so many measures in the CCPA cover data handling in "the previous 12 months," you will need to begin preparing for the removal of these exemptions now rather than wait until 2021.
It is possible that the exemptions could be extended past 1 January 2021 or be made permanent. However, this is an unpredictable political issue, so you should not rely on this happening when planning your business activities and compliance.
Although the CCPA is a consumer law, it recognizes that businesses may have a seller-to-buyer (or provider-to-buyer) relationship with other businesses. When you deal with people in a business context, they enjoy the same rights when it comes to any personal information you handle.
Such "business consumers" have the right to opt-out of you selling their personal information or the right to bring court action against you for violations. These rights aren't covered by any exemption so they took effect on 1 January 2020.
There is an exemption for the notification requirements with business-to-business communications until 1 January 2021. From this date, you will have to notify business customers before or at the point of collecting any personal data.
This notification must cover:
- What data you are collecting and which of the 11 categories apply
- The business purposes for which you will use the data
This example from Techbuyer explains the "business purposes" in detail:
It includes a helpful sentence at the end that lets users know that any information not listed, or any information listed but that gets used in a way not yet disclosed will come with notice given to the user.
You'll need to take the following actions to make sure you comply with CCPA both when the initial measures take effect in 2020 and when the exemptions end in 2021:
- Organize your records of the personal information you collect from business customers so that you can quickly and accurately retrieve if it asked
- Check that you fully secure any personal data collected from business customers
- Make sure you know whether and how you sell or disclose any personal data collected from business customers. You must be ready to act if a business customer opts-out of such sales.
- Update any notifications about collecting personal information to cover business customers so you are ready for the change in 2021
The CCPA also covers the rights of people when they are dealing with you in the context of employment (and work generally) rather than as customers. This can cover people who are:
- Owners or directors
- Job Applicants
Unlike with business-to-business communications, in the employment context there is no general exemption to the right to bring court against you for violations, or to your obligation to notify the person before collecting personal data.
Again, you must tell the person:
- What data you are collecting and which of the 11 categories apply
- The business purpose for which you will use the data
This example from Diaverum explains the business purpose for using personal data from hib applicants:
Remember that because there is no exemption, this took effect alongside the rest of CCPA on 1 January 2020.
Where you collect such data as a standard practice, you should add the notice to any relevant documentation such as an onboarding package for new employees or a letter of agreement with contractors.
If you collect any information as part of the recruitment process, include the notice as early as possible. This could mean incorporating it in application forms or publishing it in the recruitment section of your website.
The exemption regarding employees instead covers a specific type of information, namely "employee personal information." This comprises three types of personal information:
- Information used solely in an employer-employee or business-contractor context
- Personal information used for emergency contacts
- Information used to administer employment benefits
During 2020 you will not need to tell employees what specific information you hold about them in this category. The exemption ends on 1 January 2021.
You'll need to take the following actions to make sure you comply with the CCPA both when the initial measures take effect in 2020 and when the exemptions end in 2021:
- Organize your records of the employee personal information you collect so that you can quickly and accurately retrieve if it asked
- Update any notifications about collecting personal information to cover employee personal information
- Check that you fully secure any employee data
Let's recap the key points of the CCPA including the business and employment contexts.
- The CCPA took effect on 1 January 2020. It affects large businesses and those dealing with a lot of personal data. It isn't restricted to companies based in California.
- You must notify people in advance what data you collect and how you will use it
- Some elements of the CCPA involving business and employee information are exempted until 1 January 2021
- From 1 January 2020, your business customers have the same right as ordinary consumers to opt out of their data being sold and to take you to court for violations
- From 1 January 2021, an exemption ends and so your business customers will get the same right to be notified in advance what data you collect and how you will use it
- From 1 January 2020, people you deal with in an employment or contracting context have the same right as ordinary consumers to opt out of their personal information being sold and to take you to court for violations
- With most types of personal information, they'll also have the same rights to be notified what data you collect and how you use it, and to ask what data you have stored about them
- "Employee personal information" is exempted from these rights and obligations until 1 January 2021. This covers emergency contact information, information you use to administer employment benefits, and information you use solely in an employer-employee or business-contractor context.
Remember: CCPA notification requirements often cover the past 12 months of activity. This means that you'll need to track and organize any exempted data throughout 2020, ready to produce accurate notifications and deal with data access requests from 1 January 2021.