Peter BraunNew state privacy laws mean doing business in California will come with new levels of compliance. To avoid complications – and hefty fines – follow this simple guide.
The first half of fiscal 2018 was festooned with the lead balloon of the General Data Privacy Regulations. An EU initiative years in the making, GDPR aimed to protect European citizens’ personal data online, and as any international company would include a European employee, customer, or contractor somewhere along the way, failure to comply with Brussels’ legislation would result in the kind of fines that could put your lights out for good.
Like the fidgety lead-up to Y2K, there were prognosticators and doomsayers, but aside from a few lawsuits aimed at big game trophies like Facebook or Google, GDPR’s implication date of May 25th passed mostly without incident.
Now, just when you thought it was safe to kick back and congratulate yourself on your glocal business being GDPR compliant, some yahoo in California’s gone and added another layer to this digital tiramisu.
The California Consumer Privacy Act (CCPA), a bill passed as AB-375, means that a business collecting, storing or selling any Californians’ personal information will have to fall in line to this new legislation. We’ve got until January 1st, 2020, to get this done.
As it was with GDPR, firms have some time to lawyer-up and get CCPA compliant to avoid fines currently set at $7500. This amount, as well as what the act will actually enforce could change between now and activation day, the underlying premise remains: Legislators “are concerned that misuse of personal data may have ‘devastating’ effects for individuals, including financial fraud, identity theft, unnecessary costs to personal time and finances, destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”
Providing the kind of legal advice market innovators will need to assure compliance, international law firm Cooley has put together an FAQ on the subject, starting with who will need to get what straight in the next two years.
If you are a company with annual gross revenues over $25 million; if you obtain personal information from over 50,000 California residents, households or devices per year; or if selling any combination of this information accounts for more than 50 percent of your annual revenue; best pay attention and call Cooley.
Hey, my business isn’t based in California, this doesn’t apply to me.
Although there are grey areas state-by-state, if your business is online and you have even one customer from California, best to consider yourself as on the hook.
Ok then. Define customer.
California law would define customers as Individuals in the state for other than temporary or transitory purposes, and Individuals domiciled in the state who are outside the state for a temporary or transitory purpose. But since this definition is not limited to residents that buy goods and services, “consumers” would also include others, like, for example, an organization’s employees residing in California.
Fine. Now what does the CCPA define as “personal information”?
Well, a lot. There are the obvious things like your real name, postal address, IP address, email address, social security number, or driver’s license number. But it also encompasses commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies. And of course, your geolocation data. See a more comprehensive list in the Cooley FAQ.
But my company already went through GDPR and passed with flying colors.
Congratulations on that. Must have been no small feat. However, you will have to address the CCPA framework separately. Obtaining consent, for example, is a different process, and EU regulatory enforcement has, to date, been limited. In the US we expect more rigorous regulatory oversight. As such, to reduce clear and present risk, CCPA compliance will necessarily be more involved and precise. You’re not out of the woods yet.
And if one were to just ignore it?
Those found to be in violation would be subject to penalties pursuant to a civil action by the California attorney general, as set forth under Section 17206 of California’s Business and Professions Code. This provides for penalties up to $2,500 per violation, and a company found to have violated the CCPA intentionally would be liable for up to $7,500.
So if I take care of all this now I’m good.
Given this law being passed so quickly, and the number of companies that would be affected already kicking up a fuss, the details will have to be monitored as January 2020 approaches. Stay tuned as we report new details as they come to light.
Augusta Henning
Jhana Cayton
Shefali Netke
Sarah Essghaier
Miriam Groom