- Contingent Workforce Strategies 3.0 - https://cwstrategies.staffingindustry.com -

California Consumer Privacy Act set to take effect

On Jan. 1, the California Consumer Privacy Act, or CCPA, amends the California Civil Code and introduces provisions similar to the European General Data Protection Regulation, or GDPR, putting consumers in control of their personal data and placing obligations on companies to protect personal information. The law applies to companies that interact with California consumers. And even companies to which it doesn’t apply might want to keep an eye out, as other states are looking to follow suit.

As defined by the act, personal information encompasses any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Defining the consumer. “Consumers” are defined in the CCPA as individuals, resident in California for more than a temporary or transitory purpose, and anyone domiciled in California who is outside the state for a temporary or transitory purpose.

The act does not specifically apply in an employment context, but the definition of “consumer” is a broad one. And while an amendment, AB 25, excludes personal information collected from job applicants, employees, owners, directors, officers, medical staff and contractors of a business in relation to their role within the business, that exemption will only apply until Jan. 1, 2021, and does not apply to the CCPA’s notice and data breach liability provisions.

Their rights. Under the CCPA, consumers have the right:

The Business Effect

What companies are affected and what are their obligations?

Affected businesses. The CCPA applies to any commercial business that does business in California, which either:

Companies don’t have to be based in California or have a physical presence there to be subject to the law; they don’t even have to be based in the United States, provided they conduct business in California.

Inform. Affected businesses must inform a consumer at or before the point of collection about the categories of information to be collected and what the information will be used for. Notably, AB25 does not exempt businesses from notifying job applicants, employees, business owners, directors, officers, medical staff or contractors about the collection of personal information.

‘Do not sell.’ Businesses will have to include a “do not sell my personal information” option on websites (or through other media); and are precluded from offering a lower level of service to consumers who object to the sale of their data. However, a business can incentivize consumers to allow the sale of their data by offering enhanced products or services, subject to restrictions.

Repercussions. Companies that fail to comply with the CCPA are subject to a fine of up to $7,500 per violation. Furthermore, the act requires organizations to protect the data they have been entrusted with. The CCPA penalizes a company when a consumer’s “nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.”

Although the CCPA itself does not define what security procedures and practices are “reasonable,” there is existing guidance from the state of California as well as other sources. In 2016, the California Office of the Attorney General published a Data Breach Report [1] in which 20 CIS Controls [2] are identified as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” The report further indicated that “failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Preparing for Jan. 1, 2020

Following are steps companies should be taking ahead of the Jan. 1 effective date:

More states to follow? Businesses not affected by the legislation in California may not be in the clear.

Over the course of the past year, Washington, Illinois, Texas, New Mexico and Mississippi all proposed legislation to expand privacy laws in line with the CCPA. Although none survived the legislative process, many more states have introduced bills that are based on or bear a similarity to the CCPA. The fact that some of these bills have little or no prospect of success does not necessarily mean this is the end for privacy legislation in those states.

For further information on state laws on privacy, CWS Council [4] and SIA corporate members [5] can refer to SIA’s Global Overview of Developments in Data Privacy: 2019 Update [6].