In 2018, California lawmakers passed the California Consumer Privacy Act (CCPA), giving California residents a number of consumer privacy rights, including the right to find out what personally-identifying information for-profit companies are collecting about them, to opt-out of having such information collected, and to have that information deleted.
The CCPA only applies to for-profit companies doing business in California, that: (a) have annual gross revenues in excess of $25 million; or (b) receive or disclose the personal information of 50,000 or more Californians; or (c) derives 50 percent or more of their annual revenues from selling California residents’ personal information.
Although not covered by the law, public agencies, including school districts, county offices of education, charter schools, community college districts, the California State Universities, or the University of California that contract with a for-profit company who will be collecting information relating to their operations, should make sure to include contractual provisions that require for-profit companies to comply with all applicable privacy laws, including the CCPA. We also recommend tracking changes in this area of law, to help in understanding what may be expected of vendors and what expectations employees, families, and community members may have with respect to their privacy, as this is a rapidly and constantly changing area of law.
For example, the CCPA includes an exemption from its provisions for information collected by a business about a natural person in the course of the person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business. Also exempted is personal information reflecting a written or verbal communication or a transaction between the business and a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency, and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.
These exemptions were set to sunset on January 1, 2021. However, in November, the voters will vote on Proposition 24, which, if enacted, would amend the CCPA by, among other things, extending these sunsets by two years, to give stakeholders additional time to assess whether certain business transactions should be exempted and how to protect employee privacy. Contingent on that Proposition not passing in November, AB 1281 extends the exemptions by an additional year to January 1, 2022, to give stakeholders more time to assess these issues, regardless of the outcome of Proposition 24.
(AB 1281 amends Section 1798.145 of the Civil Code.)