Pub. 5 Issue 2

24 Issue 2 2019 Why does the CCPA matter? The CCPA provides consumers with new rights. Consumers will have a right to know what personal information a company collects, sells, or discloses, the company’s business purpose for the collection or sale of the information, and the categories of third parties with whom the company shares that informa- tion. Consumers will have the right to request deletion of their personal information unless an exception applies. Consumers will also have the right to opt out of the sale of their personal information and be free from discrimination for electing to do so. Receiving a deletion request from a consumer also creates an obligation for the company to notify its service providers to delete the consumer’s personal information from their records, too. Depending on the amount of information a company col- lects from consumers, responding to consumer requests could result in expending considerable resources. Does theCCPA impact theway businesses handle employee information in addition to consumer information? Yes, the CCPA requires employers to disclose to employees and job applicants the categories of personal information they collect and the purpose for which the information is used. Addi- tionally, like consumers, employees will be able to make requests to their employers that allow them or their attorneys to obtain documents and records that contain their personal informa- tion. This creates a new avenue of pre-litigation discovery for employees in addition to their existing right to request personnel and payroll files. The California Legislature has recently moved to give employers more time to comply with this portion of the CCPA by introducing Assembly Bill 25. If Assembly Bill 25 passes, employers will have until 2021 to respond to employees’ personal information requests under the CCPA. Does the CCPA create a risk of litigation? Yes, the CCPA provides consumers and employees a special right to sue a company directly if their information is subject to a data breach as a result of the company’s failure to imple- ment reasonable security practices and procedures. This opens the door to litigation where there has been no financial injury to the consumer. This special right is known as a Private Attorney General Action and allows an individual to sue on behalf of all similarly situated persons, which can greatly increase the amount of recoverable penalties. All other aspects of the CCPA, except for the data breach provisions, may only be enforced by the state attorney general. What should your business do to comply with the CCPA? • Contact legal counsel for assistance with applying the law to the unique needs of your business. • Establish written security and privacy policies and up- date websites to provide all required notices. • Develop systems to receive, track, and respond in a timely way to consumer requests related to the CCPA, includ- ing a toll-free telephone number and an e-mail address. • Conduct a comprehensive data-security risk assessment for all personal information your company holds. • Draft and distribute an employee privacy policy to cur- rent employees, and disclose on your employment ap- plication the personal information you intend to collect and the purpose for collecting the information. • Train employees how to implement and maintain secu- rity practices and procedures. • Keep an eye out for further guidance to be released by the California Attorney General in the coming months. How much time does your business have to comply with the CCPA? Be aware that the CCPA is being updated and revised regu- larly. There are several proposed changes pending before the state legislature. The California Attorney General will release guidance on how to implement the law, but it is unclear when that will happen. For now, enforcement of the CCPA will begin six months after the Attorney General’s regulations are released, or on July 1, 2020 at the latest. If you have any questions about how the CCPA could affect your business, our attorneys are available to provide guidance on this rapidly evolving issue.  The California Attorney General will release guidance on how to implement the law, but it is unclear when that will happen. For now, enforcement of the CCPA will begin six months after the Attorney General’s regulations are released, or on July 1, 2020 at the latest.