What consumer rights are covered by the law?
The CCPA provides consumers with numerous rights, that if exercised will require a bit of backend work on the business' part. Consumers have the right to request the following: the specific information a business has collected about them, how the information will be used, if any third parties will have access to it, and the purpose of collecting that information. Businesses must provide an answer to all verifiable requests within 45 days.
Consumers can also request that their personal data be deleted by a business. Similar to the GDPR's "Right to be Forgotten", there are limitations to data deletion, which include:
- Legal compliance and other legal purposes
- Security purposes
- The data is needed to complete a transaction or service requested by the customer
Does CCPA apply to employee data?
One of the big questions surrounding the CCPA is if it applies to employee data. Assembly Bill 25 (AB-25) has been added as an amendment to the CCPA, as a temporary solution. The bill exempts employers until January 1, 2021, to be compliant under the CCPA regarding employee and job applicant data when the information is being used for human resource purposes. After this exemption period, employees will be awarded the same rights.
How do I comply with CCPA as an employer?
Due to the change in consumer and employee data under the CCPA, you should update not only your consumer-facing privacy policy agreements but also your internal employee privacy policies, which should be included in your employee handbook. The CCPA employee policy does not only apply to full-time employees but all California-based independent contractors and job applicants.
These policy updates should reflect all the required CCPA disclosures:
- An opt-out from the sale of consumer data
- Categories of information collected within the last 12 months and their sources
- Description of the new rights of CA residents
- How to submit a data deletion request
- Purpose of data collected
- List of categories for all personal information disclosed within the last 12 months
At first glance, CCPA compliance may seem like a daunting task due to employers having to comply not only for consumers but also for their CA employees. Luckily for employers, the California legislature has allowed a six month grace period for CCPA consumer compliance and a year-long grace period regarding employee data. If you follow the tips and tricks above and get a head start on revamping your data collection practices, your business will be in good shape for the upcoming year.
If you have questions about how CCPA applies to your business, ask a lawyer.
This article contains general legal information and does not contain legal advice. Rocket Lawyer is not a law firm or a substitute for an attorney or law firm. The law is complex and changes often. For legal advice, please ask a lawyer.