CCPA Notices For Your Business: Internal and External
On January 1, 2020, the California Consumer Privacy Act (CCPA) was officially enacted in California.
If you have a significant customer base in the state, or you have an office and hire in California, then you need to pay attention to this.
Not only do these new laws require you to update your existing documentation, but there are fines for violations, as expected.
Do you fall under the scope of the CCPA? You'll need to update two groups of documents (or CCPA Notices): internal documents and external documents.
What do you need to do to comply with the CCPA?
- 1. What is the CCPA?
- 2. What are the CCPA Notice Requirements?
- 2.1. CCPA Internal Notices
- 2.1.1. Internal/Employee Privacy Policies
- 2.1.2. What Else Do I Need to Do to Keep My HR Team Compliant with the CCPA?
- 2.2. CCPA External Notices
- 2.2.1. "Do Not Sell" Notice
- 3. Complying with the CCPA in 2020 and Beyond
Here's what we know so far.
What is the CCPA?
The California Consumer Privacy Act outlines a set of privacy initiatives that aim to:
- Protect Californians' privacy and personal information, and
- Hold businesses accountable for data collection and sharing practices
Although it differs from the other sweeping privacy regulations, like the European General Data Protection Regulation (GDPR), it maintains the same spirit of transparency and accountability.
You must comply with the CCPA if you fall under the umbrella of "doing business" in the state of California (i.e., selling goods or services to residents), even if you don't have an office or another physical presence in California.
But not everyone must comply. You also need to meet one of three criteria:
- Earn >$25 million in annual revenue,
- Collect personal data from >50,000 consumers (or households, or devices), or
- Earn half your annual revenue from selling data
In other words, the CCPA targets the biggest data processors that pose the most privacy risk to California residents.
For example, if you run a small ecommerce site based in Boston that sells services, does $750,000 in total business, the vast majority of your customers are based on the East Coast and you don't sell data, then you don't need to comply with the CCPA as it stands.
But if you're Facebook and you earn half of your annual revenue from selling consumer data from millions of people, including California residents, then you do need to comply, even if you moved your office out of California.
The law can also apply to businesses located outside of the United States if they serve California and meet the requirements listed above.
What are the CCPA Notice Requirements?
The CCPA's focus on transparency and accountability means that documentation makes up a core component of compliance. The CCPA requires two different categories of notification: internal and external notices.
Internal notices outline your CCPA-compliant internal processes (like HR) for processing employee data. These documents outline employee rights and prepare relevant HR employees to uphold the law.
Amendments passed on the final day of the California legislative session provide that these don't need to be in place until January 1, 2021. However, the nature of these documents and the prospective internal policy changes mean you should start working on them now. But do also keep an eye on updates to the law, as they are likely due to challenges in the court system.
You will likely already be familiar with external notices. External notices are customer-facing documents that share your data practices and show customers covered by the CCPA how to exercise their statutory rights.
CCPA Internal Notices
A significant focus has so far landed on the customer-facing facets of the law, but businesses also need to know that the CCPA likely applies to HR data, too.
One of the reasons this part of the law enjoys less notoriety is that it wasn't fully settled until recently. The California legislature fought about these issues when the bill when through the amendment process, which removed some of the initial regulation. Some do survive, but what's left won't go into effect until 2021.
When you read the CCPA, it seems that there will be some internal notices required that you must apply if you fall under the scope of the law and you hire California residents as employees.
Internal/Employee Privacy Policies
- What data you collect
- Why you collect the data
- Who you share the data with (third parties)
- The rights of California consumers established by the CCPA
- What data you disclose (and have disclosed in the last 12 months)
- If you have sold any data in the last 12 months
The final point - the sales of data - probably won't affect you, as employers rarely make a habit of selling employee data. If for some reason you do sell data or you intend to (through a merger/acquisition), then you must list it.
- Job offer letters
- Employee handbooks
- New hire agreements
- Employment agreements
Remember, these policies also need to be updated annually to reflect your most current practices.
What Else Do I Need to Do to Keep My HR Team Compliant with the CCPA?
Further documentation is required, but it mostly falls in the context of employee training for upholding the CCPA.
For example, you need to develop mechanisms that allow employees to exercise their rights under the law (right to access, erasure, etc.).
You can expect that you'll also need to:
- Develop written policies that reflect the mechanisms for responding to rights requests
- Amend any service agreements that impact HR data to reflect the CCPA
- Update training documents given to those with access to HR data
- Provide new/updated content in employee handbooks
CCPA External Notices
- What types and categories of data you process
- How you collect the data
- Why and how you process the data
- If and how you share data with third parties
- How consumers can access the data you have collected
- How you deal with Do Not Track settings
- Easy to read (under CalOPPA)
- Simple to find on the page (CalOPPA)
- Updated every 12 months to reflect your most recent practices (under CCPA)
To comply, you need to provide:
- Descriptions of the new rights given to all California residents (access, deletion, opt-out, nondiscrimination)
- Explanation of how California residents can exercise their rights (for accessing information or requesting erasure)
- A complete "Do Not Sell My Personal Information" link for opting-out of third party sales
- An updated list of data categories collected in the past 12 months in any format (including offline)
- A description of all the purposes for each category
- A list of the categories of data sold in the past 12 months
- A list of the categories of data "disclosed" in the past 12 months (for business purposes)
What do these new clauses look like?
There aren't too many examples out yet because there are still a few months to go before the deadline.
You'll notice in the excerpt above that it includes the date the company last updated the policy. This is important for letting regulators know that you updated within the last 12 months and that your practices are current.
One of the first things that stand out in this policy is the granular nature of the "Information We Collect" section. It lists all the categories of data named in the law, describes them, and then identifies whether it collects them. Here's an excerpt of the chart-like clause:
In its descriptions of personal information, the PetSuites Policy offers a full explanation of its uses of California consumer data:
It then goes on to describe the CCPA consumer rights in detail:
It also includes times when the statute says it does not have to comply with a request. However, it also describes the non-discrimination clause in clear detail. The CCPA says that businesses can't discriminate against any consumers who choose to exercise their rights:
Finally, it combines two other clauses: the right to opt-out of data sales and the extra protections made for children aged 13 to 16 (not covered by COPPA, the children's privacy law):
However, there is an issue. While the "Do Not Sell" clause is essential, it also needs to link to the "Do Not Sell" notice page. While a company only needs to accommodate Do Not Sell requests if it sells data, the clause still needs to be there and it still needs a "Do Not Sell" page.
Let's look at that issue a bit more.
"Do Not Sell" Notice
This is not only a rule, but it's likely something California consumers well-versed in the CCPA will look for. A recent survey found that 90 percent of consumers would opt-out of sales if they get the chance.
The Do Not Sell My Personal Information page must include:
- What data you sell to third parties, and
- How the consumer can opt-out of the sale
You must provide the option to make the request without requiring an account, and you need to respect the request for 12 months after you receive it.
What does this look like in the wild?
Elite Sports NY already has its "Do Not Sell" page up and running. However, the site doesn't sell data, so it doesn't need to provide a way for consumers to opt-out. Even still, the law says you must have the page:
California law firm Newmeyer & Dillion LLP also launched its "Do Not Sell" page:
Same as above, the law firm doesn't sell personal information, but it does allow users to proceed with a request not to sell if the consumer chooses to and provides a form for a user to do so:
Complying with the CCPA in 2020 and Beyond
The CCPA went into effect on January 1, 2020, and it's up to you to make sure you comply with the documentation portion of the regulations.