The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. Many California employers have improperly ignored its application to their businesses. While most employee rights were carved out of the CCPA’s application until January 2, 2021, there are still key requirements under the CCPA that employers of California residents must abide by starting January 1, 2020.
Does the CCPA Apply to Your Business?
The CCPA generally will apply to any for-profit company that does business in California, collects the personal information of California residents (including employees residing in California) and either (1) has at least $25 million in annual gross revenues; (2) buys, sells, shares or receives information from at least 50,000 California consumers; or (3) derives at least 50% of its annual revenue from selling California personal information.
If your business satisfies one of the thresholds, then having California employees is enough to trigger compliance requirements under the CCPA.
Compliance Required Today With Respect to California Employees
Effective January 1, 2020, all businesses that satisfy the threshold requirements under the CCPA are required to provide initial privacy notices to their California resident employees.
In addition to the initial notice requirements, California employers should be aware that a data breach of HR data stemming from a lack of reasonable protections could be the trigger for a class action lawsuit. It is important for employers to scrutinize information security policies, properly manage all third party service providers who have access to HR data and update internal and external privacy policies to ensure compliance under the CCPA.
Risks of Noncompliance
The CCPA is enforceable by both the California Attorney General and through limited private rights of action (specific to claims with respect to data breaches). Enforcement of the CCPA will begin by the California Attorney General six months after the publication of final regulations or July 1, 2020, whichever is sooner. Fines can run from $2,500-$7,500 per incident (for example, a violation involving 10,000 California consumers could result in fines of $25 million to $75 million).