The California Consumer Privacy Act, which came into effect in January this year, will be enforced from 1st July. The new rules are expected to change the privacy landscape in the US, as other states prepare to follow suit with their own regulations.

The CCPA affects companies based in, or conducting business with, firms in California, if they have revenues of US$25m or California-based customers exceeding 50,000.

Under the CCPA, businesses are expected to adhere to a set of conditions whereby they must explicitly seek and manage the consent from individuals about their data preferences. To comply, companies must have a robust privacy programme which includes the compilation of a data inventory that tracks the data captured, stored, processed and shared.

There are some exceptions, however, which may mean that businesses do not have to apply the new rules to all datasets. Companies in the insurance market, for example, may be able to take advantages of relevant exemptions relating to information collected under the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act.

Until CCPA, US companies had virtually no restrictions on what they do with employee data. As part of the new rules, however, they must now inform CA workers about what data they're collecting and why -- and can be sued if that information is part of a data breach.

Vanessa Wu, data privacy expert and general counsel of HR provider Rippling, is urging employers to send their workers the legally-required data privacy notice if they have not already done so.

“The next week will tell us whether privacy still exists during a pandemic. 2020 was supposed to be the year employees finally got privacy rights. Now it seems workplace privacy could be another casualty of COVID-19."

Rippling's own research suggests that most small businesses don’t realise they’re about to be legally liable for how they handle their employees’ data.

“We've essentially turned our employers into a form of national surveillance during COVID-19 with workplace screening and testing. Now these pandemic measures are on a collision course with our country’s first data privacy law. The next week will tell us whether privacy rights exist in a crisis. I hope the answer is a resounding 'yes'.”

Share Story: