New Year, New Privacy Rights -- and Rules

Published

Dec 26, 2019

When the clock strikes midnight this New Year’s, we’ll be living in a new era of data privacy. Thanks to a California law that takes effect Jan. 1, for the first time consumers will have the right to know what personal information companies collect from them and how they use it. 

Considering how much of our personal privacy has eroded in the digital age, it’s an important step forward. But the new law, known as CCPA, has also caused uncertainty for businesses that don’t have legions of lawyers to make sure they’re compliant. One study found that only 12% of companies have achieved “adequate” compliance.

At Rippling, we want to help our customers stay on top of evolving privacy standards. Here’s what you need to know.

Does it apply to you?

The law applies to any for-profit business that collects the data of Californians and earns at least $25 million in yearly revenue, makes 50% of its revenue by selling personal information, or receives the personal information of at least 50,000 California residents. 

Small companies can easily reach the 50,000 threshold by collecting customer email addresses or using cookies on their website. Even if your company doesn’t deal directly with consumers, you may still be covered if you provide online services (like payment processing) to businesses that are subject to the law.

California employers must take action 

Employee data is exempt from most of the new requirements for one year. But all California employers are still on the hook for a few things starting in January. Employers can be sued if they don’t have reasonable security measures in place to protect the personal information of their workforce.

Employers must also notify employees and contractors what type of personal information they’re collecting and how it’s being used. Rippling customers will be able to do that automatically through our platform starting in mid-January.

You could be sued for third-party data breaches

On average, companies share sensitive information with 583 third parties. If one of them has a data breach that compromises your users’ personal information, your business is liable. 

That’s bad news -- hackers know third parties are a weak link and actively target them. Vendor hacks account for over half of all U.S. data breaches including many of the biggest of 2019 (Capital One, Quest Diagnostics). These breaches cost twice as much on average and cause lasting damage to your reputation and bottom line. The best way to protect your business is to choose your vendors carefully -- check out our infographic for tips.

The penalties are strict, but there's a grace period

The law takes effect Jan. 1, but enforcement won't begin until July 1. After that, your business can be fined $2,500 - $7,500 for each violation. For the first time, individuals also have the right to bring costly lawsuits against businesses that don’t comply with disclosure or deletion requests, or are responsible for data breaches of their personal information.

The penalties are strict, but there's a grace period

The law takes effect Jan. 1, but enforcement won't begin until July 1. After that, your business can be fined $2,500 - $7,500 for each violation. For the first time, individuals also have the right to bring costly lawsuits against businesses that don’t comply with disclosure or deletion requests, or are responsible for data breaches of their personal information.

Is your business ready?

If your company does business in California, there are several steps you’ll need to take to comply with the law:

  • Update your privacy policy to be clear and transparent. 
  • Notify employees and contractors in California about the personal information you’re collecting and how it’s being used. Rippling can automate this privacy notice for you starting in mid-January.
  • Implement security best practices to avoid data breaches. Rippling customers have access to password management, app provisioning, device management, and more.

Additionally, companies that collect personal information from consumers should:

  • Conduct an inventory of all the personal data your business collects and who has access to it -- including vendors.
  • Give consumers at least two ways to submit requests to ask for their data and demand that it be deleted. One must be a toll-free phone number.
  • Establish protocols to make sure you can respond to these consumer requests within 45 days. 
  • If your business sells customer data, you must notify them and provide a clear link on your website titled "Do Not Sell My Personal Information" to let them opt-out.
  • Train any employees who handle consumer data requests or are responsible for your company’s legal compliance on their responsibilities under CCPA. 

California is the first state to enact comprehensive data privacy legislation, but it won’t be the last. In fact, nearly two dozen other states have already followed suit. Whether or not you're subject to the law on Jan. 1, CCPA will set a new standard for how businesses nationwide manage data. Don’t delay. Invest now in getting your house in order. 

last edited: March 26, 2024

The Author

Vanessa Wu

Rippling General Counsel

Vanessa is based in San Francisco and serves as the General Counsel at Rippling, where she oversees the Legal, Compliance, Enterprise Risk, and Internal Audit teams. Before Rippling, she advised on high-stakes litigation in private practice, and served as the GC of publicly-traded technology company.