CCPA Notices For Your Business Employees and Customers

CCPA Notices For Your Business Employees and Customers

The CCPA took effect almost as soon as 2020 did. It changes what you need to include in your Privacy Policy and other online documents when dealing with consumers. But you might not realize that the CCPA also affects your communications with people in a business and employment setting, with some changes taking effect immediately and others delayed until 2021.

Here's what you need to know.


What is the CCPA?

The California Consumer Privacy Act (CCPA) is a piece of state legislation that can affect businesses across the US and the rest of the world. It's designed to uphold and protect a series of privacy rights for consumers in California.

What isn't so widely appreciated is that the law also protects those consumers in their professional lives. A year after the CCPA changes business-to-consumer rules it will introduce new requirements for handling personal data about staff, contractors and business customers.

In both cases, the CCPA broadly says you must inform people what personal data you collect about them. You don't need advance consent to collect the data, though consumers do have the right to opt out of you selling their data.

The CCPA applies to any business that serves Californian residents and meets one of three thresholds:

  • Has at least $25 million in annual revenue
  • Processes personal data relating to more than 50,000 people (or households or devices)
  • Revenue from selling personal data makes up more than 50 percent of annual revenue

Consumer Notifications

Consumer Notifications

As well as outlining broad privacy principles, the CCPA lays down some specific measures for notifying consumers about their rights and your data handling practices. The rules took effect in 1 January 2020 but can cover information collected before this.

This is what you need to publish.

A Privacy Policy (or Similar)

The CCPA lays out several pieces of information that you must publish online. It says these should be in your general Privacy Policy or in a page dealing specifically with privacy rights for California consumers.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

The notice must cover six points:

  • What rights California consumers have under the CCPA
  • How they can exercise those rights (including any necessary contact details)
  • The types of personal data you've collected about consumers over the previous 12 months
  • The types of personal data you've sold over the previous 12 months
  • The types of personal data you've disclosed to third parties over the previous 12 months
  • A link to a "Do Not Sell My Personal Information" page

Here's some further detail:

Consumer Rights Under the CCPA

Consumer Rights Under the CCPA

You must inform consumers that they have the right to:

  • Know what personal information you collect
  • Know if you sell or disclose their personal information
  • Opt-out of you selling it
  • Access their personal data
  • Not be discriminated against for exercising privacy rights

This extract is from Hotel Cerro's Privacy Notice to its Californian customers, which details the rights and how to exercise them:

Hotel Cerro Privacy Notice for California Residents: Your Rights and Choices clause - Access to Specific Information and Data Portability Rights section

This clause does a good job of informing readers what their rights are, and what exactly that means for them. It clearly lists out everything that will be disclosed to users to make a consumer request to exercise their rights.

Data Types You Handle

Data Types You Handle

When you list the types of personal data you've handled, you must do so using 11 designated categories. The precise definitions are listed in the CCPA itself, but in summary they are as follows:

  1. Names, numbers and addresses that identify an individual
  2. Anything classed as "personal information" under California law before the CCPA took effect
  3. Anything related to "protected classifications" (in other words characteristics such as gender or disability over which employers can't discriminate)
  4. Commercial information
  5. Biometric information
  6. Internet activity
  7. Geolocation data
  8. Audio, visual, electronic and similar information
  9. Employment information
  10. Education information
  11. Profiling data (things you'd inferred about somebody from other data, for example their attitudes or preferences)

This example from Horne LLP shows how to detail sharing and disclosure using the categories system:

Horne LLP CCPA Privacy Notice: Sharing Personal Information clause

Note how it explicitly lists the category letters, which is helpful in that it references the actual law. It also includes a brief description that's easy to understand. There's also a simple statement that the company has not sold any personal information in the preceding 12 months.

"Do Not Sell My Personal Information"

"Do Not Sell My Personal Information"

You need to create a dedicated web page where consumers can opt out of you selling their personal data. As well as linking to the page from your Privacy Policy or similar text, you must also include a link from your site's home page.

The CCPA doesn't set down a title for the opt-out page itself, but the links must use the wording "Do Not Sell My Personal Information."

The most common way to comply with the CCPA here is for the opt-out page to include business contact details as Adler Weiner has done in this example:

Adler Weiner: Screenshot of its Do Not Sell My Personal Information page

Some businesses will include an online form where consumers can provide their details and confirm they want to opt-out.

Note that you can't force consumers to create an online account in order to give you the opt-out request. In some cases, you may be required to have a toll-free phone number where users can contact you to opt out.

Business & Employment Notifications

Business and Employment Notifications

Several elements of the CCPA were put on hold through an amendment process that took place between the bill being passed and the law taking effect. This process involved creating several time-limited exemptions designed to reduce the burden on businesses when the CCPA takes effect in 2020.

These exemptions are scheduled to expire on 1 January 2021. Because so many measures in the CCPA cover data handling in "the previous 12 months," you will need to begin preparing for the removal of these exemptions now rather than wait until 2021.

It is possible that the exemptions could be extended past 1 January 2021 or be made permanent. However, this is an unpredictable political issue, so you should not rely on this happening when planning your business activities and compliance.

Business-to-Business Notifications

Business-to-Business Notifications

Although the CCPA is a consumer law, it recognizes that businesses may have a seller-to-buyer (or provider-to-buyer) relationship with other businesses. When you deal with people in a business context, they enjoy the same rights when it comes to any personal information you handle.

Such "business consumers" have the right to opt-out of you selling their personal information or the right to bring court action against you for violations. These rights aren't covered by any exemption so they took effect on 1 January 2020.

An Exemption

There is an exemption for the notification requirements with business-to-business communications until 1 January 2021. From this date, you will have to notify business customers before or at the point of collecting any personal data.

This notification must cover:

  • What data you are collecting and which of the 11 categories apply
  • The business purposes for which you will use the data

This example from Techbuyer explains the "business purposes" in detail:

Techbuyer CCPA Privacy Notice: Use of Personal Information clause

It includes a helpful sentence at the end that lets users know that any information not listed, or any information listed but that gets used in a way not yet disclosed will come with notice given to the user.

Preparation

You'll need to take the following actions to make sure you comply with CCPA both when the initial measures take effect in 2020 and when the exemptions end in 2021:

  • Organize your records of the personal information you collect from business customers so that you can quickly and accurately retrieve if it asked
  • Check that you fully secure any personal data collected from business customers
  • Make sure you know whether and how you sell or disclose any personal data collected from business customers. You must be ready to act if a business customer opts-out of such sales.
  • Update any notifications about collecting personal information to cover business customers so you are ready for the change in 2021

Employment Notifications

Employment Notifications

The CCPA also covers the rights of people when they are dealing with you in the context of employment (and work generally) rather than as customers. This can cover people who are:

  • Employees
  • Owners or directors
  • Contractors
  • Job Applicants

Unlike with business-to-business communications, in the employment context there is no general exemption to the right to bring court against you for violations, or to your obligation to notify the person before collecting personal data.

Again, you must tell the person:

  • What data you are collecting and which of the 11 categories apply
  • The business purpose for which you will use the data

This example from Diaverum explains the business purpose for using personal data from hib applicants:

Diaverum Privacy Notice to Job Applicants: For What Purposes is Personal Data Being Processed clause

Remember that because there is no exemption, this took effect alongside the rest of CCPA on 1 January 2020.

Where you collect such data as a standard practice, you should add the notice to any relevant documentation such as an onboarding package for new employees or a letter of agreement with contractors.

If you collect any information as part of the recruitment process, include the notice as early as possible. This could mean incorporating it in application forms or publishing it in the recruitment section of your website.

An Exemption

The exemption regarding employees instead covers a specific type of information, namely "employee personal information." This comprises three types of personal information:

  • Information used solely in an employer-employee or business-contractor context
  • Personal information used for emergency contacts
  • Information used to administer employment benefits

During 2020 you will not need to tell employees what specific information you hold about them in this category. The exemption ends on 1 January 2021.

Preparation

You'll need to take the following actions to make sure you comply with the CCPA both when the initial measures take effect in 2020 and when the exemptions end in 2021:

  • Organize your records of the employee personal information you collect so that you can quickly and accurately retrieve if it asked
  • Update any notifications about collecting personal information to cover employee personal information
  • Check that you fully secure any employee data

Summary

Let's recap the key points of the CCPA including the business and employment contexts.

  • The CCPA took effect on 1 January 2020. It affects large businesses and those dealing with a lot of personal data. It isn't restricted to companies based in California.
  • From 1 January 2020 and onward, your Privacy Policy or similar document must cover the consumer's rights under the CCPA, how they exercise them, and what types of data you collect (detailed as 11 specific categories)
  • You must notify people in advance what data you collect and how you will use it
  • You'll need a dedicated page for opting-out of personal data being sold. Both your Privacy Policy and home page must link to this dedicated page.
  • Some elements of the CCPA involving business and employee information are exempted until 1 January 2021
  • Business:

    • From 1 January 2020, your business customers have the same right as ordinary consumers to opt out of their data being sold and to take you to court for violations
    • From 1 January 2021, an exemption ends and so your business customers will get the same right to be notified in advance what data you collect and how you will use it
  • Employment:

    • From 1 January 2020, people you deal with in an employment or contracting context have the same right as ordinary consumers to opt out of their personal information being sold and to take you to court for violations
    • With most types of personal information, they'll also have the same rights to be notified what data you collect and how you use it, and to ask what data you have stored about them
    • "Employee personal information" is exempted from these rights and obligations until 1 January 2021. This covers emergency contact information, information you use to administer employment benefits, and information you use solely in an employer-employee or business-contractor context.

Remember: CCPA notification requirements often cover the past 12 months of activity. This means that you'll need to track and organize any exempted data throughout 2020, ready to produce accurate notifications and deal with data access requests from 1 January 2021.