Are You Ready for the New California Employment Privacy Regulations?

Posted by:

Are You Ready for the New California Employment Privacy Regulations?

 

You may recall that the California Privacy Rights Act (CPRA) amendments (Cal. Civ. Code § 1798.100 et seq.) went into effect January 1, 2023, but enforcement was delayed until March 29, 2024. Employers with the requisite contacts with California consumers (which is defined in an extremely broad manner) will be required to provide employees with extensive privacy notices, respond to requests to exercise new data rights, limit uses and disclosures of HR data, and obtain contractual commitments from third-party recipients of personal information.

The CPRA amendments apply to any business with worldwide gross annual revenue of $25 million or more that collects personal information from any California consumer, which includes a service provider, an employee, a job applicant or an investor, for example.  All entities that share common branding will be subject to the CPRA requirements if even one of those entities meet the requisite standards.

Generally, when the employer is subject to CPRA, its employees (and service providers, job applicants, investors, etc.) have six data rights:
1. The Right to Delete
2. The Right to Correct
3. The Right to Know
4. The Right to Restrict the Use of Sensitive Personal Information
5. The Right to Opt-Out of the Sale or Sharing of their Personal Information
6. The Right to Not Be Retaliated for Exercising these Rights

Each of these general rights are subject to detailed requirements and exceptions that must be carefully considered and addressed by employers, who must give appropriate notification to employees.  Employers’ data subject to the CPRA includes only information collected on or after January 1, 2022.  Given the suspended enforcement, it is presently uncertain whether employers will be expected to be in compliance through a “look back” period that could apply as early as the enactment date of January 1, 2023, or whether employers will be given a pass on compliance until the enforcement stay expires on March 29, 2024. In any event, employers who may be subject to the amended CPRA would be well advised to start their compliance efforts as soon as possible, and should contact qualified counsel to guide their efforts.

27
AUG
0

Banking and Finance, Beauty Industry, California Privacy Rights Act, California Trade Regulations, Employment Law, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Privacy, Privacy Rights, Real Estate & Construction, Regulatory Compliance, Sales, Technology

, , , , , , , , , ,

CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Posted by:

CCPA Metrics Disclosure Requirement Takes Effect July 1, 2021

Effective July 1, 2021, annual public disclosure requirements will start to apply to every business that is required to comply with the California Consumer Privacy Act (“CCPA”), and which knows or should know that (alone or in combination) it  buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10 million or more California residents in a calendar year. This requires these businesses to compile the following metrics for the previous calendar year (January 1, 2020 through December 31, 2020):

  1. The number of requests to know that the business received, complied with in whole or in part, and denied;
  2. The number of requests to delete that the business received, complied with in whole or in part, and denied;
  3. The number of requests to opt-out that the business received, complied with in whole or in part, and denied; and
  4. The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

This information must be disclosed in the business’s privacy policy or posted on its website and accessible from a link included in the privacy policy.  The metrics must be updated annually by July 1. In the disclosure, a business may choose to disclose the number of requests that were denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

To review, the CCPA, which became effective on January 1, 2020, grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information.  Currently, only for-profit businesses that collect consumers’ personal information and meet one or more of these criteria must comply: (1) the business has an annual gross revenue in excess of $25 million; (2) the business collects, buys, receives, sells, or shares the personal information of 50,000 or more California-resident consumers, household, or devices; or (3) the business derives 50% or more of its annual revenue from selling consumers’ personal information. For more information about the rights afforded to California residents, and businesses’ obligations under the CCPA, see below for some of our previous CCPA blog posts.

Among other requirements, all businesses that are required to comply with the CCPA must maintain records of CCPA consumer requests and how the business responded to the requests for at least 24 months. These businesses are required to implement and maintain reasonable security procedures and practices in maintaining these records. Such records may be maintained in a ticket or log format, provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

In addition, the businesses must establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Attorneys at Conkle, Kremer & Engel are staying current with the CCPA and to guide their clients through compliance with this sweeping data privacy law.

30
JUN
0

Banking and Finance, Beauty Industry, California Privacy Rights Act, California Trade Regulations, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Privacy, Privacy Rights, Real Estate & Construction, Sales, Technology

, , , , , , , , , , , , , , ,

The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

Posted by:

The California Consumer Privacy Act (“CCPA”) Is Enforceable Beginning July 1, 2020. Is Your Business Ready?

You may have noticed a recent influx of personal emails about updates to businesses’ privacy policies and terms and conditions. This may be due, in part, to the California Consumer Privacy Act (“CCPA”) allowing individuals to bring private rights of action against businesses. While the CCPA was effective January 1, 2020, it will be enforceable by the California Attorney General beginning July 1, 2020.

What is the CCPA?

The CCPA grants California consumers the right to control the personal information that businesses collect about them. Through the CCPA, California residents have the right to know what personal information is being collected, whether their personal information was sold or disclosed (and to whom), and may request that businesses delete their personal information. Under the CCPA, personal information is any data that identifies, relates to, or describes a particular person or household. Information such as a person’s name, address, and email address (even a computer IP address) are considered personal information. This applies to information collected online and offline, so the CCPA may apply to businesses even if they do not have a website.

Not all businesses need to comply.

The CCPA applies to for-profit businesses that collect consumers’ personal information and meet one or more of these criteria:

(1) The business has an annual gross
revenue in excess of $25M;

(2) The business collects, buys,
receives, sells, or shares the personal information of 50,000 or more
California-resident consumers, household, or devices; or

(3) The business derives 50% or more of
its annual revenue from selling consumers’ personal information.

Even small consumer-oriented businesses should take particular note of the second criteria: If the business’ website collects what the Act classifies as “personal information,” such as email addresses or the IP Address of the computer accessing the website, it may not take very long to collect that kind of information about 50,000 California-resident devices or consumers and make the business subject to the Act.

Upon receiving a verified consumer request, businesses meeting any of the above-mentioned criteria must give California residents the means to exercise their rights under the CCPA and cannot discriminate against them for exercising these rights. Businesses must complete the consumer’s request within 45 days, although an extension of time may be available, and the process of responding to consumer requests must be supported by reasonable security procedures and practices.

What happens if a business does not comply?

A failure to cure any alleged violation of the CCPA within 30 days of notification of alleged noncompliance will subject businesses to an injunction and civil penalties of no more than $2,500 per violation or $7,500 per intentional violation. And if personal information is improperly disclosed or stolen due to the absence of reasonable security procedures and practices, businesses may be subjected to civil action for injunctive or declaratory relief, damages of $100 to $750 per consumer, per incidentor actual damages (whichever is greater), or any other relief that the court deems proper.

Are you ready to comply with the CCPA? Attorneys at Conkle, Kremer & Engel are staying current with the CCPA to guide their clients through compliance.

26
JUN
0

Banking and Finance, Beauty Industry, California Privacy Rights Act, California Trade Regulations, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Real Estate & Construction, Regulatory Compliance, Sales, Technology

, , , , , , , ,

Employers’ Duties to Maintain Employee Privacy in a COVID-19 Pandemic

Posted by:

Employers’ Duties to Maintain Employee Privacy in a COVID-19 Pandemic

Dealing with illness in the workplace can be challenging under normal circumstances, but it is much more so in the midst of the Coronavirus pandemic. Many questions remain unanswered regarding the precise application of federal, state and local orders and their relationship with employee benefits. As COVID-19 becomes an increasing presence in California workplaces, and employers are forced to comply with government directives, it is just as important as ever for employers to take steps to maintain compliance with employee privacy regulations. Workers who suffer adverse employment decisions, such as pay reductions, furloughs and layoffs, may be particularly attuned to whether all their rights were respected in the process.

How much information may an employer request from an employee who calls in sick, in order to protect the rest of its workforce during the COVID-19 pandemic?

According to Guidance provided by the Equal Employment Opportunity Commission (EEOC) addressing the COVID-19 pandemic, employers covered by the Americans with Disabilities Act (ADA) may ask employees if they are experiencing COVID-19 symptoms such as fever, chills, cough, shortness of breath, or sore throat, but employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Does an employer have a duty to inform employees that one of their colleagues has tested positive for COVID-19?

Employers may be uncertain about whether to tell employees that there has been a reported case of COVID-19 in the workplace. Depending on the particular facts involved, information regarding illness of an employee or family member may be protected under the Health Insurance Portability and Accountability Act (HIPAA), the ADA or both.

A pandemic, on the other hand, likely alters those practices. In light of the rapid spread of COVID-19, employers should promptly inform workers if one of their colleagues tests positive for the virus. However, employers typically need not divulge the identity of an employee or employee’s family member to achieve the objective of maintaining a healthy workplace.

Employers may also choose to notify employees and other relevant parties that contagious illnesses may be present in any workplace and list precautionary steps suggested by medical professionals, such as the CDC. Even when not specifically required by law, it is important for business effectiveness to maintain the privacy of individual employees. These matters are best handled carefully to prevent unnecessary disruption in the workplace.

How should the employer communicate to employees that one of their colleagues has a suspected or confirmed case of COVID-19?

Clear, effective employer communications are critical to providing employees with relevant information, maintain order in the workplace, and reduce employees’ concerns. Employers should keep the following in mind when developing employee communications:

• Inform employees that the company will take any reasonable and necessary steps to ensure a safe and healthy work environment.
• Identify typical symptoms employees should watch out for.
• Include information on how to protect against getting the illness.
• Advise employees of any changes to policies.
• Notify employees of any discontinued travel.
• Ensure HR is available and prepared to address employees’ questions

What Are Employers’ Obligations to Prevent Harassment of Those Suspected of Being Infected?

Employers must take steps to prevent discrimination and harassment against individuals who have a potential claim that they are disabled due to a COVID-19 related reason. Employers should consider reminding employees of anti-harassment and discrimination company policies. Employers must be vigilant about promptly responding to and investigating any complaints of harassment or bullying in the workplace, and be conscious to limit the spread of rumors and speculation amongst the workforce.

Under the ADA, may an employer to require employees to provide a doctors’ notes certifying their fitness for duty when they return to work?

The EEOC says yes. The ADA permits such inquiries either because they would not be disability-related or, are justified under the ADA standards for disability-related inquiries of employees given the COVID-19 outbreak. However, doctors and other health care professionals may be too busy during and immediately after a pandemic outbreak to provide fitness-for-duty documentation. Therefore, new approaches may be necessary, such as reliance on local clinics to provide a form, a stamp, or an e-mail to certify that an individual does not have the pandemic virus.

Conkle, Kremer and Engel’s attorneys follow the legal developments concerning Coronavirus issues at the federal, state and local level. We are available to assist employers navigate their rights and obligations in these difficult times.

1
APR
0

Banking and Finance, Beauty Industry, California Privacy Rights Act, California Trade Regulations, Coronavirus and COVID-19 Regulations, Discrimination, Employment Law, Fashion, Food, Craft Beer and Nutrition, Industries Represented, Manufacturing, Privacy, Privacy Rights, Real Estate & Construction, Sales, Technology

, , , , , , , , , , , , , , , , , ,

California Consumer Privacy Act of 2018 – A U.S. Version of EU’s GDPR

Posted by:

California Consumer Privacy Act of 2018 – A U.S. Version of EU’s GDPR

The California Consumer Privacy Act of 2018, regarded as the most comprehensive privacy law in the United States, was unanimously passed by the California legislature and signed into law by governor Jerry Brown on June 29, 2018. The bill (AB 375) was fast-tracked through the State Senate and Assembly in a rush to defeat an even stricter privacy ballot initiative, which was introduced by Californians for Consumer Privacy. After weeks of intense negotiations with technology companies, Californians for Consumer Privacy agreed to withdraw the initiative if AB 375 was signed into law.

The  new law, which takes effect January 1, 2020, is a reactive measure to recent privacy and data breaches, including the Cambridge Analytica scandal, and governs the use of California consumers’ data by larger companies. Businesses are required to disclose the categories of information to be collected prior to collection, as well as the identity of third-parties that are allow to access that information. Consumers also have the right to request the data that has been collected on them and may also request that the data be deleted. While consumers over 16 years old may opt out of having their data sold to third-parties without being penalized, businesses are prohibited from selling data collected from consumers under 16 years old unless these underage consumers affirmatively opt-in. The bill also gives California consumers the right to sue for up to $750 in the event of a data breach involving non-encrypted personal information due to the failure to implement and maintain reasonable security procedures and practices.

While this California law is the strictest in the nation, it is less restrictive than the EU GDPR.  For example, the GDPR requires consumers opt into, or give consent, by “clear affirmative action,” prior to the collection of personal data, whereas the California law only requires disclosure prior to the collection of personal data and allows them to opt-out of the sale of personal data. Most importantly, the GDPR requires any business that offers goods or services to consumers in the EU and collects any personal data from those EU residents to comply with the GDPR, while the California law only applies to companies that do business in California and satisfy one of the following criteria: (1) have an annual gross revenue exceeding $25 million; (2) in connection with a commercial purpose, annually buy, receive, sell, or share the personal information of 50,000 or more consumers; or (3) derive 50% or more of its annual revenues from selling consumers’ personal information.

The California Consumer Privacy Act may not remain in final form as passed. Tech companies have already expressed their desire to lobby legislators to change certain provisions of the law which they believe will result in unintended consequences. Lawmakers are expected to make amendments to the bill over the course of the next 18 months.

Conkle Kremer & Engel will continue to monitor the status of the California Consumer Privacy Act and will report on changes to the final version of this law, if any. CK&E has many years of experience advising clients about regulatory compliance issues they face, and helping them prepare for foreseeable changes in the law.

 

30
JUN
0

California Privacy Rights Act, California Trade Regulations, Privacy, Technology

, , , , , , , ,

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

Posted by:

GDPR is Coming: If Your Business is Online, Beware the New EU Privacy Regulation

If you sell or offer goods to EU residents, even from the U.S., it is now necessary to re-examine your data processing and privacy procedures. There is a new EU privacy law that will go into effect on May 25, 2018, with significant penalties for violations. The EU General Data Protection Regulation, or “GDPR,” covers any website, including a U.S.-based website, selling to EU residents and processing personal data of those EU residents.  Here are some basic questions and issues to address concerning your online presence:

Do you collect, store, or use Personal Data? You are subject to this regulation if your website collects, organizes, stores, disseminates, uses or otherwise processes personal data of EU residents, regardless of where your website keeps or uses such information.

“Personal Data” will likely be broadly interpreted. The GDPR defines “Personal Data” very broadly to include any information that can be used to identify an individual. This can include all sorts of data, like names, e-mail addresses, office addresses, and even IP addresses.

Can your users easily revoke consent? The GDPR takes consent seriously. The GDPR requires you to demonstrate consent was “freely given, specific, informed and unambiguous” by a “clear affirmative action” on the part of the user for the processing of personal data. When you ask for the user’s consent, you must articulate “specified, explicit, and legitimate purposes” for processing the data. Limit the data you collect to what is necessary to achieve these articulated purposes. Be extra careful if you are collecting sensitive personal data – the GDPR raises the bar for obtaining consent to process “special categories of personal data.” And make sure it is as easy for the user to withdraw consent as it is to give consent.

Can you respond quickly and effectively when the user exercises rights under the GDPR? The GDPR grants users, or “data subjects,” quite a few rights, including but not limited to knowing where and why you are taking the data and anything that happens to it, objecting to its collection or use, obtaining a copy of it, correcting or erasing it, or restricting its use. Make sure you have procedures in place to respond appropriately in the event a user exercises rights under the GDPR.

Penalties for failure to comply can be steep. Failure to comply with the GDPR can expose companies to administrative fines of up to 20 million Euros or 4% of the total worldwide annual turnover of an “undertaking” of the preceding financial year, whichever is greater. Even if you use vendors to process your data, you are still responsible for monitoring compliance. You are required to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

The EU GDPR is a minefield of regulatory requirements that require a close examination of your data processing and privacy procedures. Some companies, such as Microsoft, are implementing a single system worldwide to comply with the EU’s requirements, effectively granting greater-than-required  rights to non-EU residents.  There will likely be considerable uncertainty and confusion as the GDPR requirements are implemented and enforcement begins.  Contact Conkle, Kremer & Engel to help bring your data processing and privacy procedures into compliance.

23
MAY
0

Advertising and Labeling, Banking and Finance, Beauty Industry, California Privacy Rights Act, California Trade Regulations, Fashion, Food, Craft Beer and Nutrition, Manufacturing, Privacy Rights, Real Estate & Construction, Regulatory Compliance, Sales, Technology

, , , , , , , , ,