When it Comes to Online Privacy, Your Virginia Business May be Governed by California and Europe

Your business may be in Virginia, but when it comes to online privacy laws, it may be governed by California and the European Union.

For the uninitiated, a website often will have a privacy policy linked on its website, usually at the bottom. A privacy policy is supposed to educate web surfers as to what that website and business will do with information it gathers. The policy will do things such as discuss the use of cookies and web beacons, and whether the business shares with third parties personally identifying information it gathers about web surfers.

There is no federal law that generally requires businesses to have privacy policies for websites and mobile apps. Until fairly recently, it was optional for most U.S. businesses to have a privacy policy. Only certain regulated industries, such as financial institutions and medical practices, were covered by special privacy laws.

However, beware that other governments require businesses to have privacy policies. These laws may govern Virginia-based businesses and might be enforced against them. As usual, California leads the way.

California Part I – CalOPPA

Since 2004, California has had on the books the California Online Privacy Protection Act (known as “CalOPPA”). CalOPPA requires certain businesses to have a privacy policy containing certain disclosures.

It applies to any commercial website that collects personally identifying information about a consumer residing in California. Thus, your business would be covered if its website gathers personally identifying information from a California consumer, such as a name, address, email addresses, or telephone number from a Californian who registers on your website or via your app, or buys a product or service online from you.

Businesses that fail to comply can be sued by the California government for $2500 for each consumer whose interests are violated, which could add up to millions of dollars. Yet, perhaps it’s unlikely the California government would expend the effort to sue a Virginia-based business unless it’s a large or national one. No guarantees there.

California Part II – CCPA

California recently upped the ante by enacting the “California Consumer Privacy Act” (known as the “CCPA”). This law goes into effect on January 1, 2020, although governmental enforcement might be delayed several months until the California government issues implementation regulations.
It will be expensive and time-consuming for businesses to comply with the new law.

It gives all California residents the right to force businesses to disclose categories of personal information gathered about them and, in many cases, to require deletion of it.

It also requires businesses to post on their websites an opportunity for web surfers to opt out of the sale of their personal information.

As with CalOPPA, the California government potentially can collect large fines for noncompliance.

The CCPA also gives individuals the right to pursue a lawsuit against a covered company for certain data breaches.

The law effectively requires businesses to carefully map out and control how they gather and use data about individuals. It won’t be enough to just put up a privacy policy on your website.

Presently, the law applies only to businesses that meet any one of three criteria: (1) gross annual revenue over $25 million; (2) gets over 50 percent of annual revenue from selling consumers’ information; or (3) annually buys, sells, receives, or shares personal information about 50,000 or more consumers. I predict California will eventually lower those thresholds to cover more businesses.

Other states also have enacted online privacy laws, such as Nevada, Connecticut, and Delaware. So far, none are as extensive as California.

Europe and the GDPR

Then there is Europe. You probably have heard of the European Union’s General Data Privacy Regulation (known as the “GDPR”). Even if you haven’t, you probably have noticed that websites for big businesses tend to have pop-ups that warn you about privacy practices and using cookies – pop-ups that you have to click “I agree” to get rid of. That’s usually happening because of the GDPR.

The GDPR not only mandates a privacy policy but also extensively regulates the handling of personally identifying information by a business, regardless of whether that personal information is gathered online or by other means.

The EU government claims the power to fine a business for a violation up to the greater of 20 million euros or four percent of its gross annual revenue.

The big question is whether your U.S.-based business is governed by the GDPR if it doesn’t have a physical location in the EU.

The GDPR protects individuals living in the EU. It doesn’t cover citizens of EU countries while in the U.S. So, for example it doesn’t govern your business if you sell something to a German citizen travelling in the U.S.

In theory, your U.S. business is covered if it sells products or services to individuals in the EU (such as by online or catalog order), or if it gathers (online or otherwise) personal information from individuals in the EU. Yet, if the EU government imposed a fine on your U.S. business over a violation, it’s unclear how it could collect the fine in the U.S. I am not aware of any case where a business operating solely in the U.S. has been successfully punished or fined under GDPR.

On the other hand, if your business has a physical presence or assets in the EU, that would be an avenue for collection.

What Should Your Business Do?

Overall, what should your business do about this rising tide of privacy laws?

First, because of CalOPPA, your business probably should have a privacy policy if it has a website or app.

Second, the worst mistake you can make regarding a privacy policy is to not do what it says. That’s when the U.S. Federal Trade Commission nails you, and perhaps a state government too. Thus, just copying and pasting someone else’s privacy policy rather than getting one fitted to your business can be a huge mistake.

Third, figure out if you’re covered by the CCPA or GDPR. Those laws are detailed, so consult with legal counsel on that. If you’re covered, you have a lot of work to do.

Written on October 11, 2019

by John B. Farmer

© 2019 Leading-Edge Law Group, PLC. All rights reserved.