74 | 2024 Cal-Peculiarities ©2024 Seyfarth Shaw LLP www.seyfarth.com Notice Requirements Under the CCPA, covered businesses are required to notify “consumers,” in advance of collection, of the categories of personal information the business will collect, for what purposes, whether the personal information has or will be shared (and the categories of third parties with whom it is shared), and what rights the consumers have with regard to such information, along with certain other specific requirements.135 Consumer Rights Consumers have the right to request disclosure of what personal information about them has been collected and how it is used or shared ("the right to know"), the right to correct inaccuracies, the right to request deletion (subject to certain exceptions), the right to opt out of sale or sharing of personal information, and the right to limit the use and disclosure of “sensitive personal information.”136 Sensitive Personal Information "Sensitive personal information” includes a consumer’s government identification (e.g., SSN), account log-in, financial accounts and card numbers including access credentials, geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, the contents of communications, genetic data, information concerning a consumer's health, sex life, or sexual orientation, or biometric information processed for the purpose of uniquely identifying a consumer.137 Non-discrimination Consumers also have the right to not be discriminated against for exercising their CCPA rights.138 Third-party sharing and vendor management In addition to issuing the required policies and notices and responding to the above-outlined requests, employers should ensure they have in place appropriate contractual terms with vendors and others with whom they share the personal information of consumers (including employees/job applicants), conduct appropriate due diligence, and implement appropriate data governance measures where required.139 Duty to Implement Reasonable Security Measures The CCPA includes a requirement for employers to implement reasonable security measures to protect personal information. (See § 4.9.1.) Remedies Violations of the CCPA can trigger administrative fines ranging from $2,500 for each violation to $7,500 for each intentional violation or violations involving personal information of consumers under 16 years of age.140 The CCPA does not provide a private right of action for any claims other than those relating to security breaches (see § 4.9.1).141 Nor does the CCPA provide a basis for a private right of action under any other law (e.g., section 17200 of the California Business & Professions Code).142 Enforcement The amended law went into effect on January 1, 2023 and has a one-year lookback period for any data collected by businesses from January 1, 2022. Enforcement began on July 1, 2023.143
RkJQdWJsaXNoZXIy OTkwMTQ4