Viewpoint: Workplace Implications of California’s New Privacy Law


By Dan Goldstein and Sean Lally August 3, 2018
Viewpoint: Workplace Implications of California’s New Privacy Law

Not long after the European Union passed the General Data Protection Regulation, California became the first state to introduce its own suite of consumer privacy rules. The California Consumer Privacy Act (CCPA), which was signed into law June 28 by Gov. Jerry Brown, includes many provisions aimed at bolstering consumers' privacy rights. Here's an overview of the law and what it means for employers.

Consumer Rights

The new law is "complex and includes drafting errors and ambiguities that are byproducts of the speed with which the legislation made its way to the governor's desk," noted Morrison Foerster attorneys in a memo. Messy though it may be, the CCPA is now the law in California, so it is important to understand the act as it is written to better prepare for its implementation on Jan. 1, 2020.

Consumers have a right to:

Know about all data a business collects about them. Consumers may ask a company to disclose:

  • Specific pieces and categories of personal information collected.
  • Categories of third-party entities that have received personal information.
  • Categories of sources where the personal information was found.
  • The purposes for which the information was collected.

Consumers can expect to receive the information within 45 days—unless a 45- or 90-day extension has been granted. The requested data must be supplied by the business in a ready-to-use format and at no additional cost to the consumer.

Say no to the sale of their information. Consumers may choose to opt out of having their personal information sold to third-party vendors, and businesses must inform consumers of this option before any information can be sold.

Delete their data. Consumers can request that their personal information be removed from a database. After such a request is submitted, businesses may continue to use a consumer's personal information under certain exceptional circumstances. For instance, the CCPA may not apply if the information is used to:

  • Finalize a transaction.
  • Conduct business that is ordinarily expected "within the context of a business's ongoing business relationship with the consumer."
  • Protect against fraud or other unlawful behavior.

Be free from discrimination. Consumers can expect to not be discriminated against when they choose to exercise their rights under the act. For instance, if a consumer elects to delete personal information, the business cannot choose to charge that person more money for a product or service.

Bring a lawsuit. The law sets up a framework allowing consumers to seek legal action. The private right to action allows consumers to file a civil complaint against a company if the consumer's (nonencrypted or nonredacted) data has been copied, transferred, stolen, disclosed or accessed without prior consent.

Penalties. If successful, a person seeking compensation under the act can expect to receive between $100 and $750 per incident, depending on the severity of the violation. However, the consumer must supply written notice 30 days prior to filing suit. If, within the 30-day period, the business "cures the noticed violation" and offers written assurances that no more violations will occur, the civil action may not continue. Moreover, a business that "intentionally violates" the act may be made to pay civil penalties of up to $7,500 per violation.

Who Will Be Affected?

The act will directly affect for-profit companies that sell their products or services in California. Businesses must satisfy at least one of three criteria to be covered under the CCPA:

  • Bring in more than $25 million in annual gross revenues.
  • Derive half of their annual gross revenues from selling personal information.
  • Handle, buy, share or sell personal information belonging to at least 50,000 California residents.

Given that the act applies to all covered entities conducting business in the state, and considering that California has the world's fifth-largest economy, the law's effects will likely be felt outside of California and even outside the U.S.

Employment Standards

Though the CCPA refers to consumer privacy, it has direct implications for employment-related data, and thus for HR professionals.

Expanding on existing statutes, the act broadly defines personal information as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." This may include commercial information, biometric data, geolocation data and employment-related information.

Moreover, the law defines "consumer" as "a natural person who is a California resident." The act, therefore, has a much wider purview than other privacy laws and, according to Morrison Foerster's memo, covers business relationships with customers, vendors and employees. In short, the term "consumer" can be replaced with the term "employee" for the purposes of the CCPA.

Thus, employers covered under the act should ensure that information capable of being associated with their employees is handled in accordance with the CCPA.

The Future of the CCPA

It isn't yet clear how the act will be implemented. For instance, the new privacy law states that businesses must respond to requests only if they can be "reasonably verified." But since the CCPA identifies only one concrete example of reasonable verification, it isn't entirely clear what this standard means, and there may be other ambiguities that emerge over time.

To address these issues, the law requires the state attorney general to solicit public participation in drafting new rules and regulations to help facilitate the act.

Employers should take stock of their data-collection practices. This is especially true if a business satisfies one of the three aforementioned criteria. Businesses that are not covered by the CCPA might do well to follow the lead of companies like Microsoft and implement privacy measures before the tide turns.

Dan Goldstein, J.D., is the president of Denver-area-based Page 1 Solutions, a website marketing company that represents doctors, dentists and attorneys. Sean Lally is a staff writer at Denver-area-based American Legal News, which focuses on news and information about law and the legal industry. 


Job Finder

Find an HR Job Near You
Search Jobs


Join us for the largest and best HR conference in the world, June 28-July 1, 2020 in San Diego.

Join us for the largest and best HR conference in the world, June 28-July 1, 2020 in San Diego.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.