California Consumer Privacy Act

Recognizing that companies store and sell massive amounts of consumers’ private information for profit, the California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100, et seq., is designed to protect consumer privacy rights by requiring businesses to provide more transparency about the data they collect on consumers. 

The CCPA generally allows any California consumer to demand to see all the personal information that a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the CCPA specifies that companies must have a clearly visible footer on websites offering consumers the option to opt-out of data sharing. 

Under the CCPA, consumers are permitted to directly sue any company for violating the privacy requirements of the statute. The CCPA also expressly permits class-action lawsuits, which is a way for consumers to band together to recover between $100-$750 per violation per consumer, or actual damages, whichever is greater. California Civil Code § 1798.150. A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation is also available. California Civil Code § 1798.155.

Background Checks

State and federal laws protect employees against the unfair and discriminatory use of background and credit checks by employers.

 

Fair Credit Reporting Act (“FCRA”) (15 U.S.C. § 1681 et seq.

Discriminatory Use of Background Checks

It is illegal under state and federal anti-discrimination laws for an employer to conduct background checks of job applicants based on the applicant’s race, gender, national origin, or any other protected characteristic. 

Unfair Use of Background Checks

When conducting background and credit checks, the employer must comply with very specific requirements under state and federal laws. Employees/applicants can sue for actual damages or penalties ranging from $100 to $1,000 for willful violations of the FCRA.  

General Requirements

When an outside company prepares a background report, the FCRA requires the employer to:

  • Give the employee/applicant notice on a separate document that a report may be required. This notice cannot be buried within other documents such as an employee handbook.

  • Obtain the employee/applicant’s written authorization. The authorization must be limited to just that; it cannot ask you to waive other rights in addition to providing authorization for the background check.

  • Get the employee/applicant’s specific permission if medical information is requested.

  • Provide specific notice if an employee/applicant’s neighbors, friends, or associates will be interviewed about “character, general reputation, personal characteristics, or mode of living”

Before Any Adverse Action May Be Taken

Before the employer takes any adverse action against an employee/applicant based on information garnered from a background check, the employer must provide a notice that includes a copy of the consumer report the employer relied on to make the decision, and a copy of: “A Summary of Your Rights Under the Fair Credit Reporting Act.”

After Adverse Action Is Taken

After taking an adverse employment action, the employer must, among other things, inform the employee/applicant of the following: that he or she was rejected because of information in the report; the name, address, and phone number of the company that sold the report; and that he or she has a right to dispute the accuracy or completeness of the report and get an additional free report from the reporting company within 60 days.

California Consumer Credit Reporting Agencies Act (“CCRAA”) (Cal. Civ. Code § 1785, et seq.)  

California Investigative Consumer Reporting Agencies Act (“ICRRA”) (Cal. Civ. Code § 1786.10, et seq.)

The CCRAA and ICRRA are similar to the FCRA, but they provide California employees with even greater privacy protections. For instance, the FCRA only applies when an employer uses an outside company to conduct the background report, while the CCRAA applies even when an employer does the background check internally (if an employer chooses a self-screening method, the employer must provide you with a box to check on an application or other document that asks if you would like a copy of public records).

Another difference is that under the FCRA, once an employee/applicant gives permission for background check, the employer does not need to get your permission to run a check in the future. However, under California law, an employer must give an employee notice and secure permission “at any time an investigative consumer report is sought for employment other than suspicion of wrongdoing or misconduct.” 

Under the CCRAA, employees/applicants can sue for actual damages or penalties of up to $5,000.

 

Unsolicited Telemarketing Calls - The Telephone Consumer Protection Act (“TCPA”) (47 U.S.C. § 227)

The TCPA restricts the making of telemarketing calls and the use of automatic telephone dialing systems and artificial or prerecorded voice messages:

  • A “telemarketing” call is a call made by advertisers that market products or services. Purely informational calls and calls for non-commercial purposes are exempt.

  • An “autodialed” call is a phone call that is made using an “autodialer,” or automatic telephone dialing system, that can produce, store and call telephone numbers using a random or sequential number generator.

  • A “robocall” is a phone call that uses an “autodialer” system to deliver a pre-recorded telemarketing message. SMS text messages to cellular phones are considered “calls” under the TCPA. The TCPA applies to both voice and text messages, if they are transmitted for marketing purposes. The TCPA has been interpreted in recent years to prohibit the sending of unsolicited commercial text messages to cell phones – with limited exceptions (i.e., messages sent for emergency purposes).

Prior express written consent is required for:

  • All autodialed and/or pre-recorded calls/texts sent/made to cell phones.

  • All pre-recorded calls made to residential land lines for marketing purposes. Note that even if you have an “established business relationship,” the company still has to obtain your written consent.

Consumer consent must be unambiguous, meaning that the consumer must receive a “clear and conspicuous disclosure” that he/she will receive future calls that deliver autodialed and/or pre-recorded telemarketing messages on behalf of a specific advertiser; that his/her consent is not a condition of purchase; and he/she must designate a phone number at which to be reached (which should not be pre-populated by the advertiser in an online form). Limited exceptions apply to this requirement, such as calls/texts from the consumer’s cellular carrier, debt collectors, schools, informational notices and healthcare-related calls.

The TCPA provides for either actual damages or statutory damages ranging from $500 to $1,500 per unsolicited call/message. 

 

Illegal Call Recording

California’s Invasion of Privacy Act (CIPA), California Penal Code § 630, et seq., generally makes it unlawful for businesses to record your calls with them without first securing consent to record the call. Violations of the CIPA include recording telephone conversations and recording cellphone conversations without prior consent. If you believe a call you have had with a business was recorded, but the business representative did not give you notice and secure your consent, the business may have violated the CIPA. Consumers can take legal action and seek compensation against creditors who have recorded phone calls for illegitimate purposes. This includes pursuing statutory damages of $5,000 for each instance of illegal recording. California Penal Code § 637.2. 

 

Unlawful Requests for Personal Identifying Information During Retail Purchases

Under the California Song-Beverly Act (California Civil Code § 1747.08) retailers are prohibited from collecting and storing personal identification information (“PII”) from customers when completing credit card transactions. PII includes information not on the credit card, such as your address, telephone number, or even just your zip code. The retailer may demand reasonable identification, but may not record PII by entering it into the cash register, for instance, at the time of the transaction. There are exceptions to this law, and it generally does not apply to transactions conducted online or via telephone or mail.

A retailer that violates the Song-Beverly Act may be subject to penalties of up to $1,000 per violation. California Civil Code § 1747.08(e).

 

Unlawful Storage of Credit Card Information

The Fair and Accurate Credit Transactions Act (“FACTA”) (15 U.S.C. § 1681 et seq.) mandates that retailers adhere to certain criteria in order to protect consumers’ personal information and help prevent credit card fraud and identity theft. FACTA applies to all forms of electronically printed customer receipts that are printed during a transaction by a cash register, self-service kiosk, or by other means or machines. Under FACTA, a retailer can only include the last five digits of a debit or credit card number on a receipt, and additionally, the receipt cannot list the expiration date of a debit or credit card. For instance, a receipt that lists “xxxx xxxx xx33 xxxx” would be in violation of FACTA, even though there are fewer than five digits listed, because the digits listed were not part of the last five digits.

A retailer that violates FACTA may be subject to penalties of up to $1,000 per violation. 

Privacy of Medical Records

The California Confidentiality of Medical Information Act (“CMIA”) (California Civil Code § 56, et seq.) expands upon the protections under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) law. Generally speaking, the CMIA prohibits healthcare providers from disclosing medical information regarding a patient without first obtaining a written authorization. Any person or entity who knowingly and willfully violates the CMIA is liable for administrative fine or civil penalty of up to $2,500 per violation. Cal. Civ. Code § 56.36.