The California Consumer Privacy Act (CCPA) will go into effect on January 1, 2020. In September, the California legislature passed a handful of amendments that may have large impacts on your business’s overall plan for compliance with the CCPA. The Governor of California has until October 13, 2019 to sign the amendments into law or veto the bills.
The CCPA is a sweeping piece of legislation designed to provide California residents with control over how their personal information is used and shared by businesses “doing business in California”. Businesses who are subject to the CCPA requirements must implement procedures for and facilitate consumer data requests, update their privacy policies and flow-down compliance obligations to their vendors. To determine whether the CCPA applies to you and your business, refer to Tackling the California Market Article.
Employee Data – AB-25. Ultimately, the CCPA will apply to employee data. However, AB 25 has sun-setted the application of most of the CCPA’s key provisions with respect to personal information that is collected about employees. As of January 1, 2020, businesses will have to provide employees notice about what categories of information the business collects and the purpose for collection, but businesses will not need to offer employees opt-out, access, and deletion rights until January 1, 2021. California resident employees will still be entitled to bring a private right of action under the CCPA with respect to a data breach.
Business to Business Data – AB 1355. AB 1355 added new Section 1798.145(l) which provides that certain obligations under the CCPA do not apply to personal information collected during business to business communications until January 1, 2021 when new Section 1798.145(l) would become inoperative. The year-long exemption would apply to “personal information reflecting written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transactions with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.” Effective January 1, 2020, B2B customer personnel will still have the right to opt-out of their information being sold and be entitled to bring a private right of action under the CCPA with respect to a data breach.
To learn more about all of the CCPA amendments and how McGrath North data privacy experts can assist you in preparing a comprehensive, tailored and practical CCPA compliance plan, contact one of our privacy experts.