What California’s New Data Privacy Law Means for Your Business
On January 1, 2020, a landmark new data privacy law went into effect in California. The California Consumer Privacy Act (CCPA) creates a new set of consumer rights regarding personal information that businesses collect. Compliance with the law requires affected businesses to modify privacy policies and website terms and conditions and develop new procedures for managing customer data.
Not all businesses must comply with the CCPA. It applies only to companies that do business in California and (1) have annual gross revenues of more than $25 million; or (2) buy, receive or sell the personal information of 50,000 or more consumers, households or devices; or (3) derive 50% or more of their annual revenues from selling consumers’ personal information. Thus, most small business are spared the burden of compliance unless their business is focused on the sale of consumer data or otherwise processes large amounts of it. However, the $25 million revenue test will bring many mid-sized businesses within the scope of the Act.
Businesses that meet one of the three tests described above must do the following:
• Provide conspicuous notice to consumers at or before the point of data collection;
• Create procedures to respond to consumer requests to opt out of data collection, know what data has been collected and delete such data, which must include a “Do Not Sell My Information” link on websites and mobile applications;
• Timely comply with consumer requests to know, opt-out and delete information; and
• Verify the identity of consumers who make requests to know or delete.
In addition to these core compliance rules, the Act includes numerous provisions designed to ensure effective enforcement. For instance, a business cannot require a consumer to create an account in order to direct the business not to sell his or her personal information. There are also provisions concerning the training of employees responsible for implementing the above procedures. And for any consumer who has opted out of the sale of personal information, a business must comply with that decision for at least 12 months before requesting that the consumer re-authorize the sale of information.
Violations of the CCPA are subject to fines of $7,500 for each intentional violation and $2,500 for other violations. Consumers may also bring private actions against businesses that violate certain provisions of the Act to recover between $100 and $750 per consumer per incident or actual damages, whichever is greater. Thus, the liability for businesses that allow large-scale noncompliance is potentially quite large.
These new compliance rules are already complex, and they are likely to become more so by virtue of regulations proposed by the California Attorney General. If implemented, these regulations will, among other things, expand record-keeping and training obligations for businesses that collect, buy or sell the personal information of more than 4 million consumers and require businesses to treat certain user-enabled privacy settings as a valid opt-out request. As the Attorney General’s office continues to assess the benefits and burdens of the Act, further regulations are likely.
For affected businesses, the CCPA has significant ramifications for their customer-facing operations, IT departments and data management practices. Compliance is critical to avoid lawsuits either by consumers genuinely damaged by violations of the Act or opportunistic plaintiffs seeking to exploit the law’s strict liability penalties.
If you need help understanding the CCPA or bringing your business into compliance, contact the professionals at Capobianco Law Offices for assistance.