Skip to Content

Your Business’s Obligations to Protect Consumer and Employee Information Under the California Consumer Privacy Act

November 16, 2020, by Christina M. Le

There has been a growing concern over the years regarding the control of one’s personal privacy rights and information, as the means and methods of collecting such information, and the ways to use such information to influence consumers has grown significantly with advancing technology. The personal information and data obtained by companies from the simple use of your cell phone, credit card, or any social media, can now be used to contact you, influence you, and even predict your future decisions with frighteningly accurate precision.

We now have legitimate concerns about the dangers such data use and manipulation have on consumers. For example, this very topic was recently highlighted in Netflix’s documentary, The Social Dilemma, which brought to light the actions that several big Silicon Valley tech companies have taken to manipulate consumers through the use of their personal information obtained through social media, such as spying on them, controlling their social media feeds to retain engagement, and limiting information a consumer receives in order to influence the consumer’s bias. For example, these companies can tell if you have been through a recent breakup, what you are likely to buy as a result of the breakup, and they will curate your social media feeds to market to you products and information you would find attractive under the circumstances.

As a response to these increasing concerns for privacy protections for consumers, in 2018, California enacted the California Consumer Privacy Act (the “CCPA”), a landmark law which secured new privacy rights for California’s consumers. The CCPA gives consumers:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

The CCPA also imposed new obligations upon covered businesses regarding their collection, use, storage, and disclosure of consumers’ personal information. With respect to such disclosure, businesses are required to provide a notice to all consumers at or before the collection of their “personal information.” The CCPA broadly defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The notice must identify all the categories of personal information and list the business purposes for which each category of personal information will be used. Businesses are prohibited from using the personal information collected for any other reason that is not specifically listed on the notice.

Although the CCPA has been in effect since January 1, 2020, enforcement of the Act commenced recently on July 1, 2020. A business who fails to comply with the CCPA potentially faces significant penalties.

It should be noted that the CCPA also applies to the protection of a covered business’s employee data in the same manner as consumers, as the CCPA’s broad definition of “consumer” includes “employees” and “job applicants.” But as a result of the recent passing of the California Privacy Rights Act (“CPRA”) on November 3, 2020, a ballot initiative that creates additional consumer privacy rights protections, the CCPA currently exempts the CCPA’s application to employees and job applicants until January 1, 2023, extending a prior moratorium previously provided by Assembly Bill 1281.

The takeaway is that if you have a covered business under the CCPA, you should take measures to ensure that your business is in compliance with its obligations to protect the personal information of consumers under the CCPA, and prepare for these same obligations to be applicable to the business’s employees and job applicants after January 1, 2023. In addition, as privacy laws and requirements are expanding and continue to change in this state, you should take extra care to keep up to date with these laws and changes. For example, the CPRA, which is not discussed in detail in this article, adds additional consumer privacy right protections that do not go into effect until January 1, 2023. The failure of your business to comply with these ever-changing requirements may subject your business to severe penalties and the risks of potential lawsuits in the future.