Friday, October 11th, 2019
Your business may be in Virginia, but when it comes to online privacy laws, it may be governed by California and the European Union.
However, beware that other governments require businesses to have privacy policies. These laws may govern Virginia-based businesses and might be enforced against them. As usual, California leads the way.
California Part I – CalOPPA
It applies to any commercial website that collects personally identifying information about a consumer residing in California. Thus, your business would be covered if its website gathers personally identifying information from a California consumer, such as a name, address, email addresses, or telephone number from a Californian who registers on your website or via your app, or buys a product or service online from you.
Businesses that fail to comply can be sued by the California government for $2500 for each consumer whose interests are violated, which could add up to millions of dollars. Yet, perhaps it’s unlikely the California government would expend the effort to sue a Virginia-based business unless it’s a large or national one. No guarantees there.
California Part II – CCPA
California recently upped the ante by enacting the “California Consumer Privacy Act” (known as the “CCPA”). This law goes into effect on January 1, 2020, although governmental enforcement might be delayed several months until the California government issues implementation regulations.
It will be expensive and time-consuming for businesses to comply with the new law.
It gives all California residents the right to force businesses to disclose categories of personal information gathered about them and, in many cases, to require deletion of it.
It also requires businesses to post on their websites an opportunity for web surfers to opt out of the sale of their personal information.
As with CalOPPA, the California government potentially can collect large fines for noncompliance.
The CCPA also gives individuals the right to pursue a lawsuit against a covered company for certain data breaches.
Presently, the law applies only to businesses that meet any one of three criteria: (1) gross annual revenue over $25 million; (2) gets over 50 percent of annual revenue from selling consumers’ information; or (3) annually buys, sells, receives, or shares personal information about 50,000 or more consumers. I predict California will eventually lower those thresholds to cover more businesses.
Other states also have enacted online privacy laws, such as Nevada, Connecticut, and Delaware. So far, none are as extensive as California.
Europe and the GDPR
Then there is Europe. You probably have heard of the European Union’s General Data Privacy Regulation (known as the “GDPR”). Even if you haven’t, you probably have noticed that websites for big businesses tend to have pop-ups that warn you about privacy practices and using cookies – pop-ups that you have to click “I agree” to get rid of. That’s usually happening because of the GDPR.
The EU government claims the power to fine a business for a violation up to the greater of 20 million euros or four percent of its gross annual revenue.
The big question is whether your U.S.-based business is governed by the GDPR if it doesn’t have a physical location in the EU.
The GDPR protects individuals living in the EU. It doesn’t cover citizens of EU countries while in the U.S. So, for example it doesn’t govern your business if you sell something to a German citizen travelling in the U.S.
In theory, your U.S. business is covered if it sells products or services to individuals in the EU (such as by online or catalog order), or if it gathers (online or otherwise) personal information from individuals in the EU. Yet, if the EU government imposed a fine on your U.S. business over a violation, it’s unclear how it could collect the fine in the U.S. I am not aware of any case where a business operating solely in the U.S. has been successfully punished or fined under GDPR.
On the other hand, if your business has a physical presence or assets in the EU, that would be an avenue for collection.
What Should Your Business Do?
Overall, what should your business do about this rising tide of privacy laws?
Third, figure out if you’re covered by the CCPA or GDPR. Those laws are detailed, so consult with legal counsel on that. If you’re covered, you have a lot of work to do.
Written on October 11, 2019
by John B. Farmer
© 2019 Leading-Edge Law Group, PLC. All rights reserved.