The January 1, 2020 compliance date for the California Consumer Privacy Act of 2018 is quickly approaching. The CCPA requires California businesses to maintain reasonable security procedures and to disclose how the business collects, stores or shares consumers’ personal information. The law also provides consumers with the right to opt-out (not sell their personal information to third parties), delete or receive the specific pieces of personal information. A consumer whose non-encrypted or non-redacted personal information is accessed or stolen also has the right to sue a business that fails to maintain reasonable security procedures.
The California Legislature made some last-minute changes to the CCPA prior to the close of the legislative session on September 13, 2019. The amendments provide businesses with some relief for employee information and loyalty programs. The legislature also modified the definition of personal information through AB 874 by excluding information that is publicly available or is de-identified or aggregated. The legislation will become law if they are signed by Governor Newsom before October 13, 2019.
Most importantly, the legislature passed AB-25, which exempts information from business-related persons including employees, potential employees or contractors until January 1, 2021 so long as the business provides a privacy notice indicating the personal information that is collected and how it is used. Businesses should understand the information that it collects about employees and draft a privacy statement. By January 1, 2020, the privacy statement should be disseminated and signed by employees.
Businesses that use loyalty plans should also pay close attention to the requirements of AB 846. The CCPA prohibits businesses from discriminating against a customer who does not want the business to use his or her personal information. A business may not deny services, charge a different fee or offer a different level of service. AB 846 allows businesses to provide a loyalty program that consumers may voluntarily opt into so long as the offering is not unjust or coercive.
A business may also sell the consumer’s information to a third party as a part of the loyalty program so long as the third party is providing the consumer with a financial benefit such as a discount or sale. The business must obtain the consumer’s consent to sale of personal information to a specific third party, and disclose the terms of the sale. The third-party must limit the use of personal information to the identification of the consumer as a member of a loyalty program.
Businesses should review loyalty programs, or other offerings intended to collect personal information, to determine whether the programs meet the requirements of AB 846. Companies should also review customer onboarding and data privacy procedures to ensure that the appropriate measures are taken prior to the transfer of personal information to outside third parties including customer consent.
Complying with the CCPA is a tremendous undertaking for any organization. As the compliance date inches closer, companies should make sure that employees are appropriately trained in order to mitigate the risk associated with a consumer’s private right of action under the law. The CCPA is the beginning of a whole new world of data protection and consumer rights in the US. A challenge that can only be overcome with preparation, testing, and perseverance.