CCPA Notices For Your Business: Internal and External

Last updated on 25 November 2019 by Nicole Olsen
CCPA Notices For Your Business: Internal and External

On January 1, 2020, the California Consumer Privacy Act (CCPA) will officially be enacted in California.

If you have a significant customer base in the state, or you have an office and hire in California, then you need to pay attention to this.

Not only do these new laws require you to update your existing documentation, but there are fines for violations, as expected.

Do you fall under the scope of the CCPA? You'll need to update two groups of documents (or CCPA Notices): internal documents and external documents.

What do you need to do and when does it need to happen?

Here's what we know so far.

What is the CCPA?

The California Consumer Privacy Act outlines a set of privacy initiatives that aim to:

  1. Protect Californians' privacy and personal information, and
  2. Hold businesses accountable for data collection and sharing practices

Although it differs from the other sweeping privacy regulations, like the European General Data Protection Regulation (GDPR), it maintains the same spirit of transparency and accountability.

You must comply with the CCPA if you fall under the umbrella of "doing business" in the state of California (i.e., selling goods or services to residents), even if you don't have an office or another physical presence in California.

But not everyone must comply. You also need to meet one of three criteria:

  1. Earn >$25 million in annual revenue,
  2. Collect personal data from >50,000 consumers (or households, or devices), or
  3. Earn half your annual revenue from selling data

In other words, the CCPA targets the biggest data processors that pose the most privacy risk to California residents.

For example, if you run a small ecommerce site based in Boston that sells services, does $750,000 in total business, the vast majority of your customers are based on the East Coast and you don't sell data, then you don't need to comply with the CCPA as it stands.

But if you're Facebook and you earn half of your annual revenue from selling consumer data from millions of people, including California residents, then you do need to comply, even if you moved your office out of California.

The law can also apply to businesses located outside of the United States if they serve California and meet the requirements listed above.

What are the CCPA Notice Requirements?

What are the CCPA Notice Requirements?

The CCPA's focus on transparency and accountability means that documentation makes up a core component of compliance. The CCPA requires two different categories of notification: internal and external notices.

Internal notices outline your CCPA-compliant internal processes (like HR) for processing employee data. These documents outline employee rights and prepare relevant HR employees to uphold the law.

Amendments passed on the final day of the California legislative session provide that these don't need to be in place until January 1, 2021. However, the nature of these documents and the prospective internal policy changes mean you should start working on them now. But do also keep an eye on updates to the law, as they are likely due to challenges in the court system.

You will likely already be familiar with external notices. External notices are customer-facing documents that share your data practices and show customers covered by the CCPA how to exercise their statutory rights.

These include a Privacy Policy, and you must update them by January 1, 2020, when the law comes into effect. In the case of the CCPA, it also includes the development of a new web page titled "Do Not Sell My Personal Information."

CCPA Internal Notices

CCPA Internal Notices

A significant focus has so far landed on the customer-facing facets of the law, but businesses also need to know that the CCPA likely applies to HR data, too.

One of the reasons this part of the law enjoys less notoriety is that it wasn't fully settled until recently. The California legislature fought about these issues when the bill when through the amendment process, which removed some of the initial regulation. Some do survive, but what's left won't go into effect until 2021.

When you read the CCPA, it seems that there will be some internal notices required that you must apply if you fall under the scope of the law and you hire California residents as employees.

Internal/Employee Privacy Policies

It is routine practice to hold the personal data of employees and prospective employees. The CCPA doesn't change that. However, it may consider the data to be within the purview of the law. That means you need a Privacy Policy that's geared specifically towards the HR data you collect and store.

First, you need to provide what is akin to an internal Employee Privacy Policy that lets both California job candidates and employees know:

  • What data you collect
  • Why you collect the data
  • Who you share the data with (third parties)
  • The rights of California consumers established by the CCPA
  • What data you disclose (and have disclosed in the last 12 months)
  • If you have sold any data in the last 12 months

The final point - the sales of data - probably won't affect you, as employers rarely make a habit of selling employee data. If for some reason you do sell data or you intend to (through a merger/acquisition), then you must list it.

You must also provide this information before you collect the data. For example, you'll add the Employee Privacy Policy to the front matter of your job application programs. It should also go into:

  • Job offer letters
  • Employee handbooks
  • New hire agreements
  • Employment agreements

Remember, these policies also need to be updated annually to reflect your most current practices.

What Else Do I Need to Do to Keep My HR Team Compliant with the CCPA?

Further documentation is required, but it mostly falls in the context of employee training for upholding the CCPA.

For example, you need to develop mechanisms that allow employees to exercise their rights under the law (right to access, erasure, etc.).

You can expect that you'll also need to:

  • Develop written policies that reflect the mechanisms for responding to rights requests
  • Amend any service agreements that impact HR data to reflect the CCPA
  • Update training documents given to those with access to HR data
  • Provide new/updated content in employee handbooks

CCPA External Notices

CCPA External Notices

Your need for a Privacy Policy isn't new. CalOPPA began requiring the posting of public Privacy Policies years ago. Then, the GDPR required it back in 2018.

There's basically no way around having a Privacy Policy at this point.

However, if you fall under the scope of the CCPA, then you likely need to update your Privacy Policy to reflect the new law, which cites it as the mandatory "initial notice" provided to consumers before you collect their information.

Your current Privacy Policy should already include information about things like:

  • What types and categories of data you process
  • How you collect the data
  • Why and how you process the data
  • If and how you share data with third parties
  • How consumers can access the data you have collected
  • How you deal with Do Not Track settings

Additionally, your Privacy Policy already needs to be:

  1. Easy to read (under CalOPPA)
  2. Simple to find on the page (CalOPPA)
  3. Updated every 12 months to reflect your most recent practices (under CCPA)

Your CCPA-compliant Privacy Policy needs to include all of the information listed above plus information about the new rights granted by the CCPA.

To comply, you need to provide:

  • Descriptions of the new rights given to all California residents (access, deletion, opt-out, nondiscrimination)
  • Explanation of how California residents can exercise their rights (for accessing information or requesting erasure)
  • A complete "Do Not Sell My Personal Information" link for opting-out of third party sales
  • An updated list of data categories collected in the past 12 months in any format (including offline)
  • A description of all the purposes for each category
  • A list of the categories of data sold in the past 12 months
  • A list of the categories of data "disclosed" in the past 12 months (for business purposes)

What do these new clauses look like?

There aren't too many examples out yet because there are still a few months to go before the deadline.

However, one of the best comes from PetSuites of America, which offers a full pre-CCPA Privacy Policy and a complete CCPA-compliant one as an addendum to the original.

PetSuites of America: Privacy Notice for California Residents - Introduction section

You'll notice in the excerpt above that it includes the date the company last updated the policy. This is important for letting regulators know that you updated within the last 12 months and that your practices are current.

One of the first things that stand out in this policy is the granular nature of the "Information We Collect" section. It lists all the categories of data named in the law, describes them, and then identifies whether it collects them. Here's an excerpt of the chart-like clause:

PetSuites of America: Privacy Notice for California Residents - Excerpt of Information We Collect clause

This is an important update to your existing Privacy Policy that you need to acknowledge by 2020.

In its descriptions of personal information, the PetSuites Policy offers a full explanation of its uses of California consumer data:

PetSuites of America: Privacy Notice for California Residents - Use of Personal Information clause

It then goes on to describe the CCPA consumer rights in detail:

PetSuites of America: Privacy Notice for California Residents - Your Rights and Choices clause

It also includes times when the statute says it does not have to comply with a request. However, it also describes the non-discrimination clause in clear detail. The CCPA says that businesses can't discriminate against any consumers who choose to exercise their rights:

PetSuites of America Terms of Use and Privacy Policy: Non-Discrimination clause excerpt

Finally, it combines two other clauses: the right to opt-out of data sales and the extra protections made for children aged 13 to 16 (not covered by COPPA, the children's privacy law):

PetSuites of America: Privacy Notice for California Residents - Personal Information Sales Opt-Out and Opt-In Rights clause

However, there is an issue. While the "Do Not Sell" clause is essential, it also needs to link to the "Do Not Sell" notice page. While a company only needs to accommodate Do Not Sell requests if it sells data, the clause still needs to be there and it still needs a "Do Not Sell" page.

PetSuites of America doesn't yet have one of these pages (and it doesn't need to until January 1, 2020). However, it will need to update its Privacy Policy again once the page goes live to link to the page. A link should be added to the website footer as well.

Let's look at that issue a bit more.

"Do Not Sell" Notice

In addition to your Privacy Policy, you must also include a "Do Not Sell" notice or page on your site.

This is not only a rule, but it's likely something California consumers well-versed in the CCPA will look for. A recent survey found that 90 percent of consumers would opt-out of sales if they get the chance.

Your "Do Not Sell" clause needs to go into your Privacy Policy and you need to include a standalone web page labeled "Do Not Sell My Personal Information" on your home page.

Newmeyer and Dillion website footer

The Do Not Sell My Personal Information page must include:

  • What data you sell to third parties, and
  • How the consumer can opt-out of the sale

You must provide the option to make the request without requiring an account, and you need to respect the request for 12 months after you receive it.

What does this look like in the wild?

Elite Sports NY already has its "Do Not Sell" page up and running. However, the site doesn't sell data, so it doesn't need to provide a way for consumers to opt-out. Even still, the law says you must have the page:

Elite Sports NY Do Not Sell My Personal Information page: Selling data to third parties clause

California law firm Newmeyer & Dillion LLP also launched its "Do Not Sell" page:

Newmeyer and Dillion Do Not Sell My Personal Information page: Intro section

Same as above, the law firm doesn't sell personal information, but it does allow users to proceed with a request not to sell if the consumer chooses to and provides a form for a user to do so:

Newmeyer and Dillion Do Not Sell My Personal Information page: Request form

Complying with the CCPA in 2020 and Beyond

The CCPA goes into effect on January 1, 2020, and it's up to you to make sure you comply with the documentation portion of the regulations.

In general, this means creating at least two Privacy Policies. The one due in 2020 is an updated external Privacy Policy governing consumer data that you collect and process. While you don't need to start from scratch, there is a list of new clauses and updates to existing clauses that you must address. There are also further requirements, like updating it once every 12 months.

Your internal documents are trickier. You'll need an HR data Privacy Policy by 2021 to provide to both job seekers and current employees. You can also expect to update internal documents like service agreements, your employee handbook, and any documented processes and procedures for handling HR data. However, the way the CCPA will ultimately treat HR data remains up in the air, as this is one of the parts of the law that continues to change and may well be contested once it goes into effect.

Article categories
Nicole Olsen

Legal writer.