Passed in 2018 — and effective on January 1, 2020 — the California Consumer Privacy Act (CCPA) alters the way many for-profit businesses must operate. Generally, the CCPA provides California consumers rights over how and whether the personal data they provide to businesses is collected, retained and sold. Employers can now refer to recently approved regulations to provide a CCPA-complaint notice when collecting personal information.
The CCPA applies to for-profit businesses that meet one of the following criteria:
- Annual gross revenue in excess of $25 million;
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices; or
- Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
Because the definitions of “consumer” and “personal information” are very broad under the CCPA, the law would apply to employers with California employees. The CCPA authorizes a consumer to order a covered business to delete the consumer’s personal information, but this created a situation where a covered employer would have to delete an employee’s personal information upon request.
To address this situation, the California Legislature passed a one-year moratorium on covered employers complying with most provisions of the CCPA if the information collection is for employment purposes. However, employers still must comply with the CCPA notice provision, which requires employers to provide a notice before, or at the time of, collecting personal information from an applicant or employee that describes every category of information that will be collected and the purposes for which it will be used.
The California Department of Justice (DOJ) enforces the CCPA, whose enforcement began on July 1, 2020. To aid in enforcement, the DOJ submitted regulations that were just recently approved and are now in effect. The regulations describe how employers may design a compliant notice. Whenever collecting personal information an employer must provide a notice that:
- Lists the categories of personal information to be collected with each category written in a manner that provides applicants and employees a meaningful understanding of the information being collected;
- Describes the business purpose for which the information will be used;
- Uses plain, straightforward language and avoids technical or legal jargon;
- Uses a format that draws the applicant’s or employee’s attention to the notice and makes the notice readable, including on smaller screens, if applicable;
- Is available in the languages in which the business, in its ordinary course, provides contracts, disclaimers, sale announcements and other information to consumers in California; and
- Is reasonably accessible to applicants and employees with disabilities. (For notices provided online, the employer shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium. In other contexts, the business shall provide information on how a consumer with a disability may access the notice in an alternative format.)
In addition to the notice contents, the regulations require that employers make the notice readily available where applicants or employee will see the notice at the time of, or before, the collection of the information. The regulations provide illustrative examples:
- When a business collects personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.
- When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
- When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the applicant or employee with a paper version of the notice or post prominent signage directing applicants or employees to where the notice can be found online.
- When a business collects personal information over the telephone or in person, it may provide the notice orally.
Because the CCPA is complex, employers are strongly encouraged to contact legal counsel to determine whether they need to comply with the statute and, if so, how to provide a compliant notice.