The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.

Does the CCPA Apply to My Business?

The CCPA applies to a business, meaning a legal entity organized or operated for the profit or financial benefit of its owners, which does business in the State of California and satisfies one or more of the following thresholds:

  • Has gross annual revenues in excess of $25 million

  • Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices

  • Derives 50 percent or more of annual revenues from selling consumers’ personal information

Businesses that handle the personal information of more than 4 million consumers will have additional obligations.

Source: https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf

Rights under the CCPA

The CCPA grants the following rights to California Consumers (Residents of California):

  1.  The right to know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information;

  2. The right to delete personal information held by businesses and by extension, a business’s service provider;

  3. The right to opt-out of sale of personal information. Consumers are able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consent for children under 13;

  4. The right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA.

Source: https://oag.ca.gov/system/files/attachments/press_releases/CCPA%20Fact%20Sheet%20%2800000002%29.pdf

How the CCPA impacts Applicant Data

Per AB-25 that was signed into law in October 2019, This bill exempts, until January 1, 2021, from all provisions of the act, except the private civil action provision and the obligation to inform the consumer as to the categories of personal information to be collected, information collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business, as specified.

It specifically no longer applies to:

  • Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.

  • Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

  • Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.

Source: https://www.lexology.com/library/detail.aspx?g=ce373ccf-349f-438d-af29-f489fe8f821a
AB-25: 
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB25