CCPA Compliance in 2023: What You Need to Know

The California Consumer Privacy Act (CCPA) was created to ensure that businesses protect consumer personal information by getting these businesses to change how this data is collected and what happens to it once businesses have access to this information. As the new year approaches, many of the stipulations of this legislation are set to change with the implementation of a new law, often referred to as CCPA 2.0. 

Exemptions are expiring, and many have questions about what that means for background checks, new employment, and the collection of personal information. Here’s what you need to know. 

The California Consumer Privacy Act: An Overview

The California Consumer Privacy Act, or CCPA, was passed in 2018. It was designed to ensure consumers have control over their personal information—specifically regarding how businesses collect, use, and store this information. It was designed to ensure customers feel safer about how their personal information is handled. The law protects all California consumers, affording them the following rights:

1. The right to know what personal information businesses collect, how they use it, and how they share it. 
2. The right to delete almost all personal information a business has collected.
3. The right to opt-out of the sale of personal information. 
4. The right to non-discrimination when exercising their CCPA rights.

Additionally, the CCPA provides that businesses must give consumers notice about their privacy practices.

The CCPA took effect on January 1, 2020, and applies to any business with over $25 million in total global revenue, as well as companies that:

• Buy, sell, receive, or share the personal information of 50,000+ consumers, households, or devices.
• Earn 50 percent or more of their revenue from selling personal information. 

This does not only apply to businesses located in California; it applies to any business that fits the criteria and interacts with customers in California. This means that the CCPA impacts businesses nationwide.

The CCPA also calls for businesses to implement security measures to keep California consumers’ personally identifiable information secure from data breaches. If they do not maintain these security measures, businesses are subject to fines and penalties to safeguard this information.

About the CCPA Exemption

So, how does this apply to individuals getting background checks for compliance?

It all stems back to early versions of the CCPA and how it correlates with the Federal government’s Fair Credit Reporting Act (FCRA). This legislation protects consumers by overseeing how the Credit Reporting Agencies (CRAs) put together background checks and report to the agencies that request them. 

The FCRA includes many requirements for how CRAs (like the companies that perform background checks) use consumer data and access consumer files. This legislation provides consumers with a right of action to defend themselves against any CRAs that don’t meet the outlined requirements to store and protect their personally identifiable information properly.

With the CCPA, the California State legislature noted that these CRAs must be able to maintain compliance with the Federal Law, the FCRA. In response, they created an exemption for CRAs, as well as for employment and business-to-business interactions.

However, with the passing of this new law, the California Privacy Rights Act (CPRA), sometimes called CCPA 2.0, this exemption is set to expire on January 1, 2023. These exemptions included many of the provisions of the CCPA for employment-related information and business-to-business information, including personal information collected from job applicants, as long as this information is used solely for employment purposes. 

Prior to expiration, this exemption meant that qualifying businesses only had to provide employees and potential employees with an opportunity to opt-out of the use of their information for monetary purposes or other valuable considerations. The CCPA did not require these businesses to offer a private right of action for data breaches.

Who Does This Expiring Exemption Affect? Moving Forward into 2023

With these exemptions, there are a few important changes to note for both employers and applicants. For starters, effective January 1, 2023:

• Legally, “service providers” are not exclusive to just legal entities, legal and natural persons can also be considered service providers.
• A business’s contract with a service provider must include a provision prohibiting the service provider from selling or sharing consumer personal information. Additionally, consumer personal information may not be combined with information from other sources. 

So, what does this mean for employees and applicants? It means you don’t have to worry about the security of your personal information. When you go through a background check or share your information with The Orsus Group, your information isn’t used for any purpose other than the reasons we explicitly share with you. It stays protected and secure.

Employers that fall under CCPA guidelines should take note that vendor contracts must be updated to reflect these new requirements to qualify as a CPRA-compliant service provider. Additionally, companies that collect consumer data digitally must add a CPRA addendum to their privacy practice notices. This disclosure must meet the following requirements:

• Customers should be informed about their privacy rights as outlined by the CCPA
• Consumers should be informed about what information is being collected, where it is coming from, and why it is being used.
• Consumers should be informed about what information is shared with service providers and third parties (like The Orsus Group) and the categories of these parties.
• Consumers should be informed about what information is sold to third parties and the categories of these parties.
• Disclosures should include instructions on how to submit a privacy request.
• Disclosures should detail at least two methods on how to submit a privacy request, at least one of which is a typical way the business normally interacts with consumers.

Partner with The Orsus Group for Reliable, Compliant Information Collection

Navigating these kinds of changes can initially seem complicated. At The Orsus Group, we take the task of protecting consumer data and remaining compliant with state and federal regulations very seriously.

The Orsus Group has many processes in place to ensure we are a CCPA-compliant vendor for our clients, including, but not limited to our Privacy Policy, Retention Policy, and our Candidate Data Purge Request process.  In addition, we offer an addendum that can be added to our Client Service Agreement upon request. We are happy to support you, answer any questions you may have, and continue to offer the same level of exceptional service that is part of our long-standing reputation. Connect with our team today to learn more about how we can help.