Data privacy laws requiring businesses to take steps to safeguard customers’ and employees’ personal information and to notify them if a breach occurs have been on the books for years. Recently, however, a new California privacy law—the California Consumer Privacy Act (CCPA)—was enacted guaranteeing consumers (but not employees--at least for now) the right to know what personal information is being collected and requiring businesses to respond to consumer demands for records showing all the personal information a business has collected about them and any third parties with which it has shared or sold their data, as well as requests to have their data erased and to opt-out of the sale of their personal information.
The new law becomes effective on January 1, 2020, and enforcement begins on July 1, 2020. Other states, including Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island, are following California’s lead and considering similar legislation. Because the California law will affect many small businesses, including some located in other states, and because it is likely that other states will adopt similar laws, it is important for small business owners to be aware of the new law and its potential impact on them.
Which Businesses Must Comply?
The CCPA applies to businesses that fall into at least one of the following categories: (1) those that earn $25 million or more in annual revenue; (2) those that buy, receive, or sell the personal data of at least 50,000 consumers or households; or (3) those that obtain at least half of their revenue selling the personal data of California residents. Any business, including those located outside of the state of California, will be subject to the law, as long as it meets one of the three conditions mentioned above. It has been estimated that more than 500,000 U.S. businesses, including many small businesses, will be impacted. The law does not apply when a business’s commercial conduct “takes place wholly outside of California,” i.e., (1) the business collected information while the consumer was outside of California; (2) no part of a sale of the consumer’s personal information occurred in California; or (3) there was no sale of the personal information collected while the consumer was in California.
What Are Businesses Required to Do?
The CCPA requires businesses, in response to a demand by a consumer, to make certain disclosures, which must be reasonably accessible to consumers and updated at least every 12 months.
Although the CCPA includes many specific requirements, in general, businesses that collect consumer data must:
- Inform consumers about the categories of personal information they will collect;
- Inform consumers about the purposes for which these categories of personal information will be used;
- Provide notice if any new categories of personal information will be collected after the initial disclosure; and
- Inform consumers of their right to request the deletion of personal information and the limitations to that right.
Businesses that sell consumer data or disclose it for a business purpose must comply with the requirements listed above and provide the following information:
- A list of the categories of personal information they have sold over the preceding 12 months;
- A list of the categories of personal information they have disclosed over the preceding 12 months;
- A statement disclosing that consumer information may be sold; and
- A disclosure of consumers’ right to opt-out of the sale of their personal information.
Businesses must also provide a clear, conspicuous, and easily accessible link on their homepages and privacy policies enabling consumers to opt-out of the sale of their personal information. In addition, the CCPA requires businesses to disclose to consumers their right not to be discriminated against as a result of opting out. For children, there must be an express opt-in for their personal data to be sold. Upon a request by a consumer to delete the consumer’s personal information, the business must delete the information from its records and direct any service providers to delete the consumer’s personal information from their records as well.
Businesses must provide at least two ways for consumers to make requests for information, including, at least, a toll-free number, and if the business has a website, a web address. The business must deliver the information requested within 45 days at no charge to the consumer.
What Happens If My Business Violates the CCPA?
If regulators notify a business of a violation, it has 30 days to comply with the law before any penalty will be imposed. If the business does not resolve the issue within the 30-day deadline, the state of California can impose a hefty fine of up to $7500 per record. In addition, individuals affected by a violation of the CCPA can sue the business individually or as part of a class action for damages.
Give Us a Call
If you need help determining whether the CCPA or a similar law will impact your business and what your business needs to do to comply with the law, we can help. Please call our office to set up a consultation so we can discuss this law or any of your business’s other data privacy and protection obligations.