A New California Law Attempts to Regulate Consumer Privacy Nationwide. Better Get Ready.
Tuesday, January 21st, 2020
A new California law, the Consumer Privacy Protection Act (“CCPA”), goes beyond requiring businesses to have privacy policies. It forces them to carefully structure how they gather and use consumers’ information.
It’s not limited to information gathered by a website. The law addresses all personal information gathered from consumers, even offline.
It’s no longer good enough to just have a privacy policy on your website. You have to conform how you handle consumer data to California’s standards.
You may be thinking “So What? My business isn’t located California. Why should I care about this?”
If your business interacts with Californians while they are in California, such as through your website or social media or on the phone, or if you ship goods to California, your business is covered even if it has no physical presence in California.
The CCPA does not apply to all businesses. It applies if your business has over $25 million in gross revenues. While the law is unclear, it appears that’s money earned anywhere, not just from Californians.
Even if your business does not have gross revenue that high, it’s covered if it earns 50% or more of its revenue from selling consumer information or if it annually sells the personal information of 50,000 or more consumers.
You should pay attention to the CCPA even if your business is not big enough to be covered yet. California could broaden the scope of businesses covered. Also, the federal government might soon enact a similar law to preempt the California law and to prevent a patchwork of state laws from imposing inconsistent and Byzantine requirements.
Here’s a taste of how intrusive the CCPA is:
● The business must inform consumers at the point of collection of the categories of personal information it gathers and how that information is used.
● A business must get consent from a consumer for its information gathering and use practices. This means a business’s privacy policy must stay ahead of what a business does with consumer data. It’s not good enough to later put into place a privacy policy that captures what’s already happening.
● Upon request from a consumer, a business must disclose the categories and specific pieces of information collected about that consumer. The business must provide at least two ways for consumers to make such requests, including by toll-free telephone number.
● The consumer can require a business to delete information about that consumer.
● A business must inform consumers of the right to opt-out of the sale of the consumer’s personal information and honor opt-out requests. To that end, a business must put a link on the home page of its website titled “Do Not Sell My Personal Information.”
● A consumer can require a business to disclose to whom it has sold the consumer’s data.
● The above items mean a business must have a system in place to verify and deal with requests from consumers for disclosures and deletions.
● The business cannot discriminate against a consumer because the consumer exercises any of these rights.
Overall, privacy law is headed California’s way. The earlier you get ready, the easier it will be for your business.
Written on January 21, 2020
by John B. Farmer
© 2020 Leading-Edge Law Group, PLC. All rights reserved.