California never makes it easy...and the California Consumer Privacy Act (CCPA) is no exception.
If you are a for-profit entity that does business in CA (repeated transactions with CA consumers) then you need to know whether the CCPAprivacy notice and security requirements apply to your business.The CCPA is averybroad privacy law (similar to Europe's GDPR) which became effective January 1, 2020. You may be a "business" under the CCPA if any of the following apply:
- Annual gross revenue exceeds $25 million;
- "Alone or in combination" annually buys, receives for commercial purposes, shares for commercial purposes, or sells personal information of 50,000 or more California residents;
- Derives 50% or more of annual revenue from selling personal info; or
- Controls or is controlled by a for-profit entity that meets any of the preceding 3 factors and shares "common branding" with that business.
See Cal. Civ. Code § 1798.140(c). If you meet the "business" definition and have CA resident employees, independent contractors, owners/officers, or job applicants, there are additional privacy notice and security requirements that apply (and were required to be implemented by January 1, 2020).
We have developed draft Privacy Notices for both Consumers and California Employees, Contractors, and Job Applicants regarding any "Personal Information" (name, address, SSN, DOB, biometric thumbprint for timekeeping, employment verifications, criminal history, etc.) collected. Because company practices can vary widely regarding what information is collected and why(e.g., Do you have surveillance videos? Do you maintain voice recordings?), it is important to set up a call to review the types of data collected before tailoring any CCPA notices.
Even if you are not based in California, if you meet the definition of a "business" under the California Consumer Privacy Act (CCPA), you should consider appropriate compliance implementation.
► Back to News & Resources
