Does The New California Data Privacy Law Apply To Your Small Business? And If So, Is Your Business Ready To Comply?
By Ethan Watts
The California Consumer Privacy Act (Sections 1798.100 - 1798.199 of the California Civil Code) (“CCPA”), which was passed by the California State Legislature and signed into law by the Governor of California in 2018, is scheduled to become effective on January 1, 2020. The CCPA is the first of what may be a coming wave of sweeping consumer data privacy and protection laws at the state and possibly federal level in the U.S. Businesses that are not fully prepared to comply with the CCPA’s requirements on the handling of California consumers’ personal information and on responding to consumer requests could face civil penalties assessed by the Attorney General and civil actions by individuals for statutory and other damages.
The Scope of the CCPA
The CCPA provides California residents rights and protections with respect to the handling of their personal information by businesses. “Personal information” is defined broadly under the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” with examples of personal information including information such as “real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers”,… “signature,.. physical characteristics or description, address, telephone number,”… “state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information”,… “[c]haracteristics of protected classifications under California or federal law”,… “[c]ommercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies”,… “[b]iometric information”,… “Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement”,… “[g]eolocation data”,… “[a]udio, electronic, visual, thermal, olfactory, or similar information”,… “[p]rofessional or employment-related information”,… “[e]ducation information”,… “[i]nferences drawn from any of the information identified in this [section 1798.140(o)] to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” (CCPA Section 1798.140(o).)
A business that utilized personal information and does business in California, regardless of where it is located, must comply with the law if it meets at least one of the following thresholds: (i) the has annual gross revenues in excess of $25 million; (ii) the business annually (alone or in combination) buys, sells, or receives or shares for commercial purposes personal information gathered from 50,000 or more California consumers, households, or devices; or (iii) the business derives 50% or more of its annual revenues from “selling” consumers’ personal information.
Small businesses may not be aware of the CCPA or think the CCPA only applies to larger businesses or businesses that sell personal information. However, small businesses that do business online (whether through websites, mobile apps or otherwise) and collect any information that might fall within the broad definition of “personal information” should in particular be wary of the second threshold above. (CCPA Section 1798(c)(1)(B).) For example, an online business that collected information such as email addresses or IP addresses through its website might meet the “alone or in combination, annually… receives… personal information of 50,000 or more consumers, households, or devices” threshold.
Complying with the CCPA
If the CCPA will apply to your business, your business needs to work on a compliance plan. Your business and counsel should perform careful analysis of the CCPA and your business’s personal information related practices. Indeed, if the CCPA applies, you should already be data mapping and complying with record keeping requirements since, for example, as of January 1, 2020, California residents can begin to make requests concerning their personal information for the 12-month period preceding the request.
You should also be aware that, as of the writing of this article, there are various proposed amendments to the CCPA making their way through the California legislature (see AB-25, AB-846, AB-873, AB-874, AB-950, AB-1146, AB-1355, AB-1416, AB-1564 and SB-561). Some of those amendments would narrow a business’s obligations under the CCPA, while others would expand them. The status of the proposed amendments should be monitored, but businesses that fall under the purview of the CCPA should not wait to work on preparing to comply.
If you’re doing business in California, you should determine whether or not the CCPA will apply to your business regardless of its size. In particular, if your business has a website or mobile app that collects any information about California residents, households or devices, the CCPA may very well apply to your business. If the CCPA applies to your business, you should be working on a compliance plan.
The above discussion is intended to be a general commentary on legal issues. Each situation is different and this article is not intended as legal advice. Further, nothing in this article is intended to create an attorney-client relationship.