The COVID-19 pandemic has changed all manner of business procedures over the course of this past year, but one area you may not immediately recognize that needs to be immediately addressed relates to mandatory privacy notifications under California state law – perhaps even if you don’t have employees in the state. If you have not yet adjusted your business practices as it relates to COVID-19, you need to add this important assignment to your end-of-the-year to-do list.
Governor Newsom just signed legislation that will extend the California Consumer Privacy Act (CCPA) exemption for employee, job applicant, and independent contractor data for an additional year – until January 1, 2022. However, this legislation will become effective only if a ballot measure on the November ballot (Proposition 24), which contains a longer extension, does not pass.
In 2018, the California legislature enacted the California Consumer Privacy Act (“CCPA”), which went into effect on January 1, 2020 but was amended six times before it even took effect. Concerned that amendments have weakened the CCPA and that consumers still do not understand how their personal information is being used by businesses, proponents of the CCPA have proposed a ballot initiative for the November 2020 ballot titled the California Privacy Rights Act of 2020 (“CPRA”)—colloquially known as CCPA 2.0.
For the second year in a row, the Washington legislature failed to pass an ambitious consumer privacy protection bill into law.
California’s all-inclusive privacy law, the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, has already been cited in numerous lawsuits. Over this next year, employers are likely to see lawsuits testing the waters of the new statute. For now, the first wave of CCPA lawsuits raise several unsettled questions and serve as an important reminder to implement procedures to bring your business in compliance.
While the federal government continues to work on a national program of consumer privacy safeguards, Washington is on the brink of joining California in a West Coast wave of consumer privacy legislation. In January 2020, a bipartisan group of Washington legislators presented new legislation for a privacy act that looks to surpass the recent California Consumer Privacy Act (“CCPA”) as the most protective consumer privacy act in the country.
On February 10, 2020, the Attorney General issued revisions to the proposed regulations to the California Consumer Privacy Act (the CCPA) which were originally published in October of last year. While the Attorney General cannot bring an enforcement action until July 1, 2020, these revisions indicate that the office is gearing up to start bringing CCPA enforcement actions in July. Further, while employers won a brief reprieve for their employee and applicant personal information due to an amendment to the CCPA, it is important to remember that this reprieve only lasts until January 1, 2021. As the law currently stands, employers have only had to comply with a small portion of the CCPA for their employees and job applicants.
Many small or solo franchisees, subsidiaries, and affiliates of larger businesses may think the California Consumer Privacy Act (CCPA), does not apply to your separate business entity because it does not meet one of the three threshold criteria for CCPA coverage: (1) your annual revenue is under $25 million; (2) you do not annually collect the personal information of 50,000 or more California residents, households or devices; and (3) you are not in the business of selling information. But upon closer inspection, you may be disappointed to learn that California’s groundbreaking new privacy law, which became effective January 1, 2020, may yet still apply to you based on a potentially broad "control" test.
Governor Gavin Newsom just signed into law two amendments to the California Consumer Privacy Act (CCPA) that will have a direct impact on employers doing business in the state. The new amendments, signed on October 11, 2019 and taking effect on January 1, 2020, require covered businesses meeting a certain revenue threshold or other criteria to implement policies and procedures that provide consumers – which includes employees – certain privacy rights not previously available under existing law.
Thanks to recent negotiations among state lawmakers, it appears that California employers may get a temporary reprieve on some of the more sweeping data privacy requirements that were set to take effect in just a few short months.