In our latest installment of "Ask the Attorney," we answer questions concerning the California Consumer Privacy Act (CCPA), which went into effect in California on January 1, 2020.
Melissa Snyder, FCRA-Advanced Certified from the Professional Background Screening Association (PBSA), is Good Egg's attorney and compliance manager, and she will tackle this important topic.
The big disclaimer, of course, is that any information she provides in this article is simply educational in nature, not legal advice. You should consult your own attorney regarding your specific situation.
Now, onto the latest question . . .
QUESTION:
Does Good Egg have a disclosure in place that meets CCPA requirements? Or is there a plan to have that in place by 1/1/20?
MELISSA:
First, let's talk about the California Consumer Privacy Act (AB-375) generally, before getting into the specifics regarding Good Egg.
What is the California Consumer Privacy Act (CCPA)?
This article sums it up well. The CCPA "allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach."
The article further notes: "The CCPA originally covered employee as well as consumer data. An amendment passed in April, however, exempts employee data from the regulation. Another amendment, AB 25, partially exempts personal information collected from job applicants, owners, directors, officers, medical staff, and contractors. This exemption would expire on January 1, 2021. AB 25 was awaiting the governor's signature at this writing."
How does the CCPA affect background check companies like Good Egg?
As a consumer reporting agency (CRA), Good Egg is actually exempt from nearly all obligations imposed by the CCPA, including access, deletion, and "do not sell" rights.
The exemption for credit information collected pursuant to the Fair Credit Reporting Act (“FCRA”) was broadened to cover any “activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency.”
However, under the FCRA, we must comply with similarly rigorous requirements. For example, we are prohibited from reselling, transferring, or selling consumer information to anyone other than our end-user/client, and we follow stringent methods for secure deletion of consumer information pursuant to FTC rules. Good Egg also strictly follows reasonable procedures to verify the identity of the consumer and the legitimacy of consumer requests for access and deletion.
Further, we have a consumer information privacy policy accessible on our website that provides our clients’ employees and applicants with notice of the categories of data we collect and the purposes for which the data will be used, along with access rights, information storage, disposal, and disclosure. There is also a special notice for California residents.
So does the CCPA apply to Good Egg at all?
All the above being said, we are not exempt from the CCPA’s private right of action for data breaches resulting from “unreasonable security." This is not a problem, as Good Egg strictly adheres to the highest industry standards when it comes to securely storing and assuring authorized access to and use of personal consumer information for screening purposes, as evidenced by our achieving accreditation from the Professional Background Screening Association (PBSA).
Any other important notes regarding CCPA, background check compliance, and Good Egg's clients?
Importantly, the FCRA-usage exemption in the CCPA also applies to the users of consumer reports (our client).
So in addition to the temporary employer reprieve in place until January 1, 2021, exempting personal information employers collect in the employment context from most of the CCPA’s requirements, our clients have the broader, indefinite FCRA exemption to rely on.
The one caveat is that the FCRA-use exemption only applies to the extent that the data is collected/used subject to regulation under, and as authorized by, the FCRA (meaning for a permissible employment purpose).
If the employer uses the information for any other purpose (in violation of the FCRA), the CCPA would technically apply.
So as long as the client does not use the consumer information we obtain and furnish in a manner that violates the FCRA, their use will be exempt from the coverage of the CCPA.
Got a question for Melissa? Let us know!
Check out previous "Ask the Attorney" features:
