The California Consumer Privacy Act (CCPA) takes effect in January, imposing strict new data privacy mandates on many companies with employees in California, whether they are headquartered inside or outside the state’s borders. Is your company among them?

Fox Rothschild’s Privacy & Data Security team has developed a free, easy-to-use online tool — CCPA Scope Adviser — that can help you answer this important question while there is still time to create a compliance plan.

The CCPA is scheduled to take effect in just two months.

Don’t assume you’re outside the scope. CCPA carries significant penalties for noncompliance and includes a private right of action that poses the threat of consumer lawsuits over data breaches.

For a thorough overview of the law, register for our free The Ten Commandments of CCPA  webinar, scheduled for Nov. 11.

Try CCPA Scope Adviser.

Register for our free The Ten Commandments of CCPA webinar.

The California Consumer Privacy Act (CCPA) takes effect in 2020, imposing strict new data privacy mandates on many companies headquartered inside — and outside — the state’s borders.  Is your company among them?

Fox Rothschild’s Privacy & Data Security team has developed a free, easy-to-use online tool — CCPA Scope Adviser — that can help you answer this important question while there is still time to create a compliance plan.

Don’t assume you’re outside the scope.  CCPA carries significant penalties for noncompliance and includes a private right of action that poses the threat of consumer lawsuits over data breaches.  Good news, there is a slight reprieve for employers, but this is still an issue to keep on your radar.

Find out if you’re affected by using Fox’s CCPA Scoping Tool.

It looks like the back-and-forth about how much employee information will be covered under the California Consumer Privacy Act, CCPA, is likely resolved, at least for now.  The California legislature recently passed AB 25, which excludes most employment information from the CCPA.  If signed by Governor Newsom, it will specifically exclude information collected by a business for an applicant, employee, owner or contractor, if the information was collected and used solely in the employment context.  The amendment will also exclude emergency contact information and information collected and maintained to administer benefits.

While the exclusion is good news for California employers, it is limited.  The exclusion will only provide California businesses a temporary reprieve — until 2021.  That extra year will give employers more time to comply with the CCPA, and the legislature time to consider whether to extend the exception, or make it permanent.   The Governor has until October 13, 2019 to sign AB 25 into law.

More details about AB 25 and the CCPA can be found in this comprehensive Alert written by Ciera Logan.

There is a lot of confusion about how the California Consumer Privacy Act (CCPA) will impact California employers.  The California legislature is considering AB25, which has been interpreted as eliminating CCPA’s requirements for California employers.  But that is too simple of an interpretation because of the requirements of AB25 in its current iteration, as well as existing California labor laws.

Right of Access:

In general, the CCPA regulates the right of California residents to access, delete and opt out of sharing their personal data.  However, California employees already have a right to access some of their private employment data.  Under the California Labor Code, employees have the right to access and receive copies of their pay records and their personnel files upon request.  In fact, these requests are commonplace for California employers.   So that right to access won’t change.

In addition, AB25 sunsets in one year.  As of January 1, 2021, unless another arrangement has been reached, the full legal rights CCPA grants all residents will also be granted to employees.

Right of Information:

In its current iteration, AB25 reinstates the requirement to provide employees the privacy information that California businesses are required to provide all residents.  Once the final version of the CCPA passes, chances are that in addition to an online privacy notice on their websites, California employers will need to provide  applicants and employees some sort of privacy notice.  This will likely include information about what personal information is collected about them, the purpose, with whom it is shared, and what the employee/applicant’s rights are about it.

What is Data In the Scope of the Employment Relationship?

As drafted, AB25 only exempts personal information collected from an individual by a business in the course of the individual acting as a job applicant to, or an employee or contractor of that business.  Depending on how it is interpreted by the California Attorney General, certain personal information collected about (not from) employees, and certain information collected from the employees but not necessarily in connection with the employment relationship, would remain within CCPA’s scope.  This could include extra-curricular employee data, such as biometric data, or health information through a 3rd party service or app which is provided as a perk and not required for the employment relationship.

In this current climate, it is important to be careful with any information that seems “big brother-esque” or where, if discovered, an employee might ask “why would my employer have this information about me?

If you are reading blog posts and think the CCPA is not your issue as a California employer, think again.  Privacy issues are not going away, they are only expanding….

Many thanks to my partner Odia Kagan for explaining the CCPA to me, so I could explain it to you!

The California Consumer Privacy Act (CCPA), a broad-based law protecting information that identifies California residents, was passed in June 2018 and will take effect in 2020. Dubbed “GDPR Lite,” to denote its similarities to the EU General Data Protection Regulation (GDPR), it is expected to be a game-changer for U.S.-based companies that process sensitive data. With detailed disclosure requirements, a grant of extensive rights to individuals to control how their personal information is used, statutory fines and a private right of action, the law requires companies to rethink their data processing practices.

But does the CCPA apply to you?

CCPA applies to you if you fall within either A or B, below:

A.    (1) You are a for-profit business.

(2) You collect California consumers’ personal information (or such information is collected on your behalf) and determine the purposes and means of processing California consumers’ personal information.

(3) You do business in the state of California.

and

(4) You meet one of the following criteria:

(a) You have at least $25 million in annual gross revenues.

(b) You buy, sell, share and/or receive the personal information of at least 50,000 California consumers, households or devices, per year.

(c) You derive at least 50 percent of your annual revenue from selling California consumers’ personal information.

OR

B. You control or are controlled by an entity that meets the above criteria and share common branding with that entity.

Let’s break that down.

Section A:

1. You are a “for profit” business

CCPA applies to companies that are “organized or operated for the profit or financial benefit of [their] shareholders or other holders.”

Nonprofits are not required to comply with the CCPA. However, if you are a nonprofit organization that controls or is controlled by a for-profit entity that qualifies as a “business” and share common branding with, or receive personal information from a business via a “sale,” you could be subject to CCPA.

2. You collect and determine the purpose and means of processing personal information of Californians

You meet this prong if:

  • You receive, buy, rent or access information (including personal information collected passively, i.e. through cookies); and
  • Determine the purpose and means of processing of information that both:
    • identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household; and
    • pertains to an individual who is (1) in California for other than a temporary purpose, or (2) domiciled in California, but outside the state for a temporary purpose

3. You do business in the state of California – even if you have no physical presence in California

This phrase is not defined in CCPA. It has, under California tax laws, been deemed to apply, in certain cases, to companies doing business online without any physical presence in California.

So, in the absence of guidance from the California Attorney General, it is likely that this will include you if:

  • Your headquarters is in California.
  • You have employees in California.
  • You are an entity incorporated in California or an entity required to register in California as a “foreign entity” under existing California corporate and tax law. Per a recent amendment, starting April 1, 2019, companies not registered in California, with no physical presence in California, are required to register with the California Department of Tax and Fee Administration (CDTFA), collect the California use tax and pay the tax to the CDTFA based on the amount of sales into California if their sales exceed a certain dollar threshold or they have more than 200 separate transactions.
  • You have ties to the state including, in some cases, repeated sales into the state and ownership of real property in the state.

4. You meet one of the following thresholds

  • You have at least $25 million in annual gross revenues. [Note: It is unclear at this point whether the $25 million threshold will operate at the group level and whether revenue not derived from California will count, but the general thought is that this threshold applies to overall revenues, not just revenues from California.]
  • You buy, sell, share, and/or receive (alone or in combination with others) the personal information of at least 50,000 California consumers, households or devices, per year.
    [Note: To reach this threshold, 137 unique visits to your website a day suffices.]
    [Further note: CCPA does not explicitly require that a household be physically located in California or a device be owned by a California resident. Given that CCPA was enacted to protect the right to privacy spelled out in the California Constitution (see above) and such right is bestowed on California residents, such requirement may in the future be read into the statute.]
  • At least 50 percent of your annual revenue comes from selling California consumers’ personal information.

OR

Section B: You control or are controlled by a business

CCPA would also apply to you if you control or are controlled by an entity that meets the above criteria and share common branding with that entity. Therefore, CCPA applies to entities that do business in California and those that are part of the corporate group (parents or subsidiaries) of an entity that does business in California.

B+ You may indirectly be in scope if your B2B clients say so

In order to comply with obligations under CCPA, businesses that are subject to the law will need to ensure that their third party service providers use information in a way that allows the business to be compliant (e.g. delete the information when requested, use the information only as permitted). Therefore, you could be required to comply with CCPA provisions indirectly, through an agreement with your customer.

Finally: Can CCPA apply to me if I am not a consumer facing business (B2C)?  Yes.

Despite its “Consumer Privacy Act” title, as currently drafted, CCPA applies to any business that meets the criteria listed in question one above, even if it does not deal directly with consumers. The definition of “consumer” is also very broad and includes any individual who is (1) in California for other than a temporary purpose, or (2) domiciled in California but is outside the state for a temporary purpose.

It is not yet clear whether the CCPA applies to B2B companies with respect to business contacts who meet the criteria listed in question one and/or employees who are California residents. While the current language of the CCPA and definition of “consumer” appear to include employees and business contacts, the California State Assembly recently proposed AB-25, a bill that would exclude employees, contractors and agents from the definition of “consumer.” Specifically, the bill excludes a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of or an agent on behalf of the business, to the extent the person’s personal information is collected and used solely for purposes compatible with the context of that person’s role as a job applicant, employee, contractor or agent of the business. The bill awaits final legislative action.


Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. Odia leverages her experience counseling companies on GDPR compliance issues to assist companies on the road to CCPA compliance. For assistance, contact Odia at okagan@foxrothschild.com or 215.444.7313.

Additional Information

I attended a seminar at my firm last week that set forth the next big thing in California — the California Consumer Privacy Act (CCPA).  It is California’s version of the European Union’s General Data Protection Regulation (GDPR).

If you haven’t heard of it (or focused on it), the CCPA is a broad-based law protecting information that identifies California residents (both consumers and employees).  The law includes detailed disclosure requirements, provides individuals with extensive rights to control how their personal information is used, imposes statutory fines and creates a private right of action.  It is expected to dramatically alter the way U.S.-based companies process data.

While the CCPA won’t go into effect until 2020, it has a “12 month look back” which requires companies to be able to provide information to consumers about information collected or disclosed in the immediately preceding 12 months.  While changes to the CCPA are expected, smart companies are in the planning stages now.

Check out this terrific summary of the law by my partners Elizabeth Litten and Mark McCreary, as well as this alert from my partner, Odia Kagan, outlining the top five steps to start taking now to prepare for the CCPA.

The California Consumer Privacy Act (CCPA) went into effect in 2020 and the California Privacy Rights Act (CPRA) is set to go into full effect in 2023.

But there have been a lot of developments the past couple years with the two laws, and more seem to be happening every day.

In an interview with OneTrust Data Guidance, I took a closer look at the two privacy laws and what businesses need to do to comply.

Read more here.

Our Labor & Employment team has been busy this fall! As loyal readers, your inboxes have been filled with our updates on all the changes to California employment laws.  This legislative session ended on October 14th, so we thought it would be helpful to recap the changes you should have on your radars.   These new laws will take effect January 1, 2020, unless otherwise noted.  Here are some of the highlights, with links to more in-depth information as applicable:

10) Extension of Statute of Limitations for CA Discrimination Claims

AB 9 extends the time a complainant has to file a complaint under the Fair Employment and Housing Act (“FEHA”) from one year to three years.  While enacted in response to the #MeToo movement, this bill affects all claims of employment discrimination under FEHA, not just harassment claims.

9) Expansion of Race Discrimination to Include Hairstyles

SB 188 changes the definition of “race” in FEHA to include hair texture and protected hairstyles, specifically including “braids, locks and twists.” This prohibition, which is detailed here,  may impact policies on dress codes or grooming standards.

8) Prohibition on Mandatory Arbitration Agreements

AB 51 bars employers from requiring arbitration agreements as a condition of employment.  It also prohibits retaliation against an employee who refuses to sign an arbitration agreement.  My colleagues blogged in greater detail about AB 51 here, including the likelihood that it will be preempted by the Federal Arbitration Act.

7) Remedies for Breach of Arbitration Agreements

SB 707 provides both consumers and employees  remedies when a drafting party fails to pay arbitration fees and costs in a timely manner.  Drafting parties who neglect to pay fees owed within 30 days of the due date may lose the chance to compel arbitration or may be subject to monetary or evidentiary sanctions.

6) Prohibition on “No Rehire” Provisions

AB 749 prohibits parties to an employee settlement agreement from entering into an agreement to restrict the employee’s ability to work.  In the vein of non-compete enforceability, employers may no longer add a so-called “no rehire” provision to settlement agreements, unless the employer has made a good faith determination that the employee engaged in sexual harassment or assault. This bar applies to parent, subsidiaries and affiliates of the settling party.  Read more from our blog here.

5) Additional Paid Family Leave

SB 83 increases benefits under the state’s paid family leave program (“PFL) from 6 weeks to 8 weeks of subsidized time off, beginning July 1, 2020.   It also establishes a task force to review additional increased benefits for 2021.

4) Additional Training Requirements

AB 241 and AB 242 require implicit bias training for physician, nurses, surgeons, lawyers and court staff.  Medical staff training requirements would not take effect until 2023, whereas legal training becomes effective in 2022.  SB 778 gives employers a reprieve until January 1, 2021 for mandated sexual harassment training of all employees.

3) Detailed Lactation Accommodations

SB 142 mandates detailed lactation accommodations on all California employers.  Specifically, a lactation room must not be a bathroom and must contain a surface for breast pump and personal items, a place to sit, as well as electricity, extension and charging cords.  The employee must also have access to a refrigerator or cooler and a sink with running water.

2) California Consumer Privacy Act Changes

AB 25 exempts employers from compliance with many of the laws requirements regarding collection of personal data of employees and applicants through 2020. You can find more information about the CCPA here.

1)  Restrictions on Use of Independent Contractors

Last, but certainly not least, AB 5 significantly changes which workers or businesses can be classified as independent contractors under the Labor Code and Wage Orders.  We have reviewed the changes here, and will continue to update you on changes and issues as they arise in our practice.

As always, our team is here for guidance (or just to commiserate) on these new laws.