The California Consumer Privacy Act and Small Business
EDITED: COMPLETE UPDATES AND POST. The law applies to employees now too in California as of 1/1/2023.Introduction
You may have heard all the fuss about GDPR a few years ago, which established broad privacy and data access rights to consumers in the European Union. For many small businesses in the United States, even those who have websites visited by Europeans, this may have required little if anything in the way of preparation, especially if your lawyers told you that the likelihood of EU lawyers filing a claim against you is low.
However, the State of California has now passed its own version, called the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. Since this is local, it very well may apply to your company.
GDPR and CCPA are similar. For the most part, past privacy laws only required a business to keep consumers' personal information confidential, inform consumers how the information will be used, and issue notifications in case of breach. These new rules grant consumers unprecedented rights, as you'll read below. Both laws allow an individual consumer, and government bureaucrats on behalf of consumers generally, to take civil action and collect penalties from you for non-compliance.
Provisions of the CCPA
The CCPA, in short, requires certain businesses that maintain personally-identifiable information about consumers (both customers and potential customers) who reside in California to enable the consumer to see it free of charge upon request, and to disclose to the consumer what it is used for. Consumers also will have the right to prohibit a business from sharing their information, or to require it to be deleted entirely.
The law is targeted towards online service providers (any website that allows you to create a login account), and marketers or data brokers who collect, sell, or purchase consumer information. However, according to the text of the CCPA itself, if any of the following apply to your business, it is fully subject to its requirements:
- Gross annual revenue above $25,000,000 (which may go up with the CPI).
- Acquires in any manner, shares, or sells the personal information of 50,000 or more consumers, households, or devices per year.
- Derives more than 50% of annual revenue from selling personal information.
So, if your company has enough volume, either in numbers of customers or income, or if you somehow gather the information of enough people for any reason, the CCPA applies even if you don't provide online services, engage in marketing, or sell personal information. In addition, based on the third item above, some analysts believe a company such as a talent agent, which derives all of its income from selling their clients (so to speak), might be covered under this law, no matter how small the company is.
Some analysts also believe the CCPA may apply to personal information a business keeps on business partners, employees, or clients with whom you have a long-term relationship. This is because the CCPA defines "consumer" as anyone who lives in California, not necessarily a customer or website visitor.
The definition of personal information is also very broad. Data that could be tied to a customer or household, even if not linked to that person in your customer database, might still fall under that customer's control. An example is the Internet Protocol (IP) address of the computer a customer used to access your website. Even if your system stores IP addresses in a separate database to analyze the location of visitors and their activities, and these IP addresses are not linked back to customers by name in your system, this still may be considered information that personally identifies the user under the law, since each IP address is unique and can be traced to an individual subscriber of cable Internet service or a mobile carrier. This implies that businesses may have to completely redesign their databases and applications to comply with the law, or at the very least build new tools to manage the data.
The CCPA offers an exception that allows a company to keep consumer data for legitimate use. This means if you retain the information someone gave you for the reason he gave it to you, he can't demand you delete it under this law. So you can keep a record of orders, shipping and payment information, copies of contracts, etc., despite the fact these will have the names and addresses of your customers or clients. This also includes information saved in web browser cookies to enable targeted ads or product recommendations on your website, so long as your website discloses that this is happening and enables the user to opt out. However, you must ensure this information is controlled, because if it is inadvertently used for marketing activities the customer didn't agree to, or it's otherwise exposed, then you could lose claim to this exemption.
Also, it doesn't appear that a consumer has the right to force all your employees and business partners to disclose all e-mails that mention him by name, or demand that you delete and purge them from any backups or e-mail archiving systems you might have, although some analysts have warned this may be the case.
Other exemptions include keeping or using information to comply with the law, pursue or defend against a lawsuit or criminal investigation, analyze or prevent security breaches, and conduct quality control.
Finally, the law only covers data that was collected, sold, or shared in the preceding twelve months at the time a request is made for disclosure or deletion. So while data that's over a year old appears to be completely out of reach of the law, that also means data your company collected, sold, or shared in 2019 will be covered during 2020, even though the law only took effect on January 1, 2020.
What You Should Do
As you can see, there is quite a bit of uncertaintly surrounding this law. Changes were made this past October, a few months before it went into effect, but over a year after the bill became law. These seem to have lessened the burden on business. But, even now, after it has taken effect, final regulations still have not been filed by the responsible state agency. Questions about compliance are still awaiting answers. For example, how exactly should a business plan to demonstrate that it is in compliance?
If the CCPA may apply to your business, the first step in gaining compliance is by instituting a formal information security program. Without such a program, it is most likely you do not have the control of your data required to comply with the rules. And because data you already have will be covered, there is no time to lose.
Although the CCPA makes an information security program more essential for many businesses, for all small businesses, having an information security is gradually becoming the norm. Click here to read about Why and How to Implement an Information Security Program as a Small Business.