- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does an employee facing privacy notice need to contain different types of information from a privacy notice provided to other types of consumers?
The CCPA applies to the personal information of California employees of a business that is subject to the statute. The specific rights afforded to employees were set to phase-in throughout 2020.
Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” 1 While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures. These only apply to employee-privacy notices beginning on January 1, 2021. The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:
|Privacy Notice Disclosures Required as of January 1, 2020
In All Privacy Notices (e.g., employee and non-employee)
|1. Identify the enumerated categories of personal information collected.2|
|2. Identify the general purpose for which information will be used3|
|Additional Privacy Notice Disclosures Required as of
January 1, 2020 in Non-Employee Privacy Notices and as of
January 1, 2021 in Employee Privacy Notices
|1. Explain the ability of a California resident to request access to their personal information.4|
|2. Identify the enumerated categories of personal information shared with services providers.5|
|3. Identify the enumerated categories of personal information sold to third parties (or affirmatively state that the business does not sell personal information).6|
|4. State that a California resident has the ability to opt-out of sale of information (if applicable).7|
|5. Provide contact information that can be used to request access, deletion, or opt-out (if applicable).8|
|6. Explain the ability of a California resident to request deletion of their personal information.9|
|7. Provide general information concerning the sources from which personal information was collected.10|
|8. Provide general information concerning the third party recipients of personal information11|
|9. Explain in general terms the process used to verify or authenticate a California resident that requests access to, or the deletion of, their information.12|
|10. Explain that California residents will not be discriminated against if they choose to exercise one of their rights under the CCPA.13|
|11. Explain how an authorized agent can make a request under the CCPA on behalf of a California resident.14|
|12. Provide contact information for how questions or concerns regarding privacy practices can be raised with the business.15|
The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents. In essence, it can be thought of as a “short form” privacy notice. After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.
What are data brokers required to do under California law?
In addition to complying with the general compliance obligations of the CCPA, data brokers are required to take the following actions:
- Registration. Data brokers are required to register with the California Attorney General.1
- Fees. Data brokers are required to pay a fee as part of the registration process.2
- Opt-out Mechanism. As data brokers, by definition, sell personal information, they are required to provide an opt-out mechanism by which consumers can instruct the broker to cease such sales.3
- Respond to Opt-Out Signals. As data brokers, by definition, sell personal information, they are required by the regulations implementing the CCPA to “treat user-enable global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicates or signal[s] the consumer’s choice to opt-out of the sale” or personal information as an opt-out request.4
Does a business need to post a “do not sell” link if it does not sell personal information?
The CCPA requires businesses that sell personal information to, among other things, explain that consumers have a “right to opt-out” of the sale,1 and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes the consumer to a mechanism that permits the exercise of the opt-out right.2 If a business does not sell personal information, and if the business affirmatively states that it does not sell personal information in its privacy notice, it is not required to provide a notice of [the] right to opt-out” or post the “Do Not Sell” link.3
What steps must a business take if it sells personal information?