Open Season for the CCPA, Corporate Compliance Insights
Kaufman Dolowich Voluck’s Katherine S. Catlos, partner in KDV San Francisco and KDV Chief Diversity & Inclusion Officer, CIPP/US, CIPM and Katherine Alphonso, attorney at KDV San Francisco, analyze the privacy roles of various organizations and their obligations under the California Consumer Privacy Act (CCPA) and GDPR.
Corporate Compliance Insights l January 31, 2020
A Case Study in Employee Health Care Benefits Enrollment
Allow us to paint a picture: Your Company (“YC”), as part of its employment package, offers health care benefits to all full-time employees. For the most part, the employees engage the health insurance company directly, providing the necessary personal data needed to obtain its services. The only part of this process that YC even involves itself in is footing the bill.
To be invoiced, however, YC transfers its employees’ contact information and date of birth, which were all collected at hire, to the health insurance company for employee verification. It’s not uncommon to see a situation such as this. Employers are more and more willing to provide fringe benefits on top of a competitive salary as an incentive for their employees to stay (or take the job). Understandably, many companies are now unsure of their responsibilities regarding data privacy protection given the current landscape.
Obligations Under the CCPA
Under the CCPA, which became effective on January 1, 2020, YC must first determine if its business is governed by the law. The CCPA applies to entities that collect personal information, do business in California and satisfy one or more of the following thresholds: