CCPA (CPRA) Notices For Your Business Employees and Customers

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 06 March 2023.

CCPA (CPRA) Notices For Your Business Employees and Customers

The CCPA (CPRA) has some rules and requirements for what you need to include in your Privacy Policy and other online documents when dealing with consumers. But you might not realize that the CCPA (CPRA) also affects your communications with people in a business and employment setting.

Here's what you need to know.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



What is the CCPA (CPRA)?

The California Consumer Privacy Act (CCPA) is a piece of state legislation that can affect businesses across the U.S. and the rest of the world. It's designed to uphold and protect a series of privacy rights for consumers in California. It was expanded and amended with additional requirements by the CPRA.

The CCPA (CPRA) broadly says you must inform people what personal data you collect about them. You don't always need advance consent to collect the data, though consumers do have the right to opt out of you selling their data.

The CCPA (CPRA) applies to any business that serves Californian residents and meets one of three thresholds:

  • Has at least $25 million in annual revenue
  • Processes personal data relating to at least 100,000 people or households
  • Revenue from selling or sharing personal data makes up more than 50 percent of annual revenue

Consumer Notifications

Consumer Notifications

As well as outlining broad privacy principles, the CCPA (CPRA) lays down some specific measures for notifying consumers about their rights and your data handling practices. The rules took effect in 1 January 2020 but can cover information collected before this.

This is what you need to publish.

A Privacy Policy (or Similar)

The CCPA (CPRA) lays out several pieces of information that you must publish online. It says these should be in your general Privacy Policy or in a page dealing specifically with privacy rights for California consumers.

The notice must cover six points:

  • What rights California consumers have under the CCPA (CPRA)
  • How they can exercise those rights (including any necessary contact details)
  • The types of personal data you've collected about consumers over the previous 12 months
  • The types of personal data you've sold over the previous 12 months
  • The types of personal data you've disclosed to third parties over the previous 12 months
  • A link to a "Do Not Sell My Personal Information" page

Here's some further detail:

Consumer Rights Under the CCPA (CPRA)

Consumer Rights Under the CCPA

You must inform consumers that they have rights, including the following:

  • Know what personal information you collect
  • Know if you sell or disclose their personal information
  • Opt out of you selling it
  • Limit the use of sensitive personal information
  • Access their personal data and request it is deleted, corrected or no longer processed
  • Not be discriminated against for exercising privacy rights

This extract is from Hotel Cerro's Privacy Notice to its Californian customers, which details the rights and how to exercise them:

Hotel Cerro Privacy Notice for California Residents: Your Rights and Choices clause - Access to Specific Information and Data Portability Rights section

This clause does a good job of informing readers what their rights are, and what exactly that means for them. It clearly lists out everything that will be disclosed to users to make a consumer request to exercise their rights.

Data Types You Handle

Data Types You Handle

When you list the types of personal data you've handled, you must do so using 12 designated categories. The precise definitions are listed in the CCPA (CPRA) itself, but in summary they are as follows:

  1. Names, numbers and addresses that identify an individual
  2. Anything classed as "personal information" under California law before the CCPA took effect
  3. Anything related to "protected classifications" (in other words characteristics such as gender or disability over which employers can't discriminate)
  4. Commercial information
  5. Biometric information
  6. Internet activity
  7. Geolocation data
  8. Audio, visual, electronic and similar information
  9. Employment information
  10. Education information
  11. Profiling data (things you'd inferred about somebody from other data, for example their attitudes or preferences)
  12. Sensitive personal information

This example from Horne LLP shows how to detail sharing and disclosure using the categories system:

Horne LLP CCPA Privacy Notice: Sharing Personal Information clause

Note how it explicitly lists the category letters, which is helpful in that it references the actual law. It also includes a brief description that's easy to understand. There's also a simple statement that the company has not sold any personal information in the preceding 12 months.

"Do Not Sell My Personal Information"

"Do Not Sell My Personal Information"

You need to create a dedicated web page where consumers can opt out of you selling their personal data. As well as linking to the page from your Privacy Policy or similar text, you must also include a link from your site's home page.

The CCPA (CPRA) doesn't set down a title for the opt-out page itself, but the links must use the wording "Do Not Sell My Personal Information."

The most common way to comply with the CCPA (CPRA) here is for the opt-out page to include business contact details as Adler Weiner has done in this example:

Adler Weiner: Screenshot of its Do Not Sell My Personal Information page

Some businesses will include an online form where consumers can provide their details and confirm they want to opt out.

Note that you can't force consumers to create an online account in order to give you the opt-out request. In some cases, you may be required to have a toll-free phone number where users can contact you to opt out.

Business-to-Business Notifications

Business-to-Business Notifications

Although the CCPA (CPRA) is a consumer law, it recognizes that businesses may have a seller-to-buyer (or provider-to-buyer) relationship with other businesses. When you deal with people in a business context, they enjoy the same rights when it comes to any personal information you handle.

Such "business consumers" have the right to opt-out of you selling their personal information or the right to bring court action against you for violations. These rights aren't covered by any exemption so they took effect on 1 January 2020.

You will have to notify business customers before or at the point of collecting any personal data. This notification must cover:

  • What data you are collecting and which of the 12 categories apply
  • The business purposes for which you will use the data
  • For how long you will keep use the data

This example from Techbuyer explains the "business purposes" in detail:

Techbuyer CCPA Privacy Notice: Use of Personal Information clause

It includes a helpful sentence at the end that lets users know that any information not listed, or any information listed but that gets used in a way not yet disclosed will come with notice given to the user.

Preparation

  • Organize your records of the personal information you collect from business customers so that you can quickly and accurately retrieve if it asked
  • Check that you fully secure any personal data collected from business customers
  • Make sure you know whether and how you sell or disclose any personal data collected from business customers. You must be ready to act if a business customer opts-out of such sales.
  • Update any notifications about collecting personal information to cover business customers

Employment Notifications

Employment Notifications

The CCPA (CPRA) also covers the rights of people when they are dealing with you in the context of employment (and work generally) rather than as customers. This can cover people who are:

  • Employees
  • Owners or directors
  • Contractors
  • Job Applicants

Unlike with business-to-business communications, in the employment context there is no general exemption to the right to bring court against you for violations, or to your obligation to notify the person before collecting personal data.

Again, you must tell the person:

  • What data you are collecting and which of the 12 categories apply
  • The business purpose for which you will use the data
  • For how long you will keep use the data

This example from Diaverum explains the business purpose for using personal data from hib applicants:

Diaverum Privacy Notice to Job Applicants: For What Purposes is Personal Data Being Processed clause

Remember that because there is no exemption, this took effect alongside the rest of CCPA on 1 January 2020.

Where you collect such data as a standard practice, you should add the notice to any relevant documentation such as an onboarding package for new employees or a letter of agreement with contractors.

If you collect any information as part of the recruitment process, include the notice as early as possible. This could mean incorporating it in application forms or publishing it in the recruitment section of your website.

An Exemption

The exemption regarding employees instead covers a specific type of information, namely "employee personal information." This comprises these types of personal information:

  • Information used solely in an employer-employee or business-contractor context
  • Personal information used for emergency contacts
  • Information used to administer employment benefits

Preparation

You'll need to take the following actions to make sure you comply with the CCPA (CPRA):

  • Organize your records of the employee personal information you collect so that you can quickly and accurately retrieve if it asked
  • Update any notifications about collecting personal information to cover employee personal information
  • Check that you fully secure any employee data

Summary

Let's recap the key points of the CCPA (CPRA) including the business and employment contexts.

  • The CCPA took effect on 1 January 2020. It affects large businesses and those dealing with a lot of personal data. It isn't restricted to companies based in California. It was amended by the CPRA, which took effect 1 January 2023.
  • Your Privacy Policy or similar document must cover the consumer's rights under the CCPA (CPRA), how they exercise them, and what types of data you collect (detailed as 12 specific categories)
  • You'll need a dedicated page for opting-out of personal data being sold. Both your Privacy Policy and home page must link to this dedicated page.
  • Some elements of the CCPA (CPRA) involving business and employee information are exempted until 1 January 2021
  • Employment:

    • People you deal with in an employment or contracting context have the same right as ordinary consumers to opt out of their personal information being sold and to take you to court for violations
    • With most types of personal information, they'll also have the same rights to be notified what data you collect and how you use it, and to ask what data you have stored about them

    Remember: CCPA (CPRA) notification requirements often cover the past 12 months of activity.