Data privacy laws requiring businesses to take steps to safeguard customers’ and employees’ personal information and to notify them if a breach occurs have been on the books for years.
Recently, however, a new California privacy law—the California Consumer Privacy Act (CCPA)—was enacted guaranteeing consumers (but not employees--at least for now) the right to know what personal information is being collected and requiring businesses to respond to consumer demands for records showing all the personal information a business has collected about them and any third parties with which it has shared or sold their data, as well as requests to have their data erased and to opt-out of the sale of their personal information.
The new law becomes effective on January 1, 2020, and enforcement begins on July 1, 2020. Other states, including Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island, are following California’s lead and considering similar legislation. Because the California law will affect many small businesses, including some located in other states, and because it is likely that other states will adopt similar laws, it is important for small business owners to be aware of the new law and its potential impact on them.
Which Businesses Must Comply?
The CCPA applies to businesses that fall into at least one of the following categories: (1) those that earn $25 million or more in annual revenue; (2) those that buy, receive, or sell the personal data of at least 50,000 consumers or households; or (3) those that obtain at least half of their revenue selling the personal data of California residents. Any business, including those located outside of the state of California, will be subject to the law, as long as it meets one of the three conditions mentioned above. It has been estimated that more than 500,000 U.S. businesses, including many small businesses, will be impacted. The law does not apply when a business’s commercial conduct “takes place wholly outside of California,” i.e., (1) the business collected information while the consumer was outside of California; (2) no part of a sale of the consumer’s personal information occurred in California; or (3) there was no sale of the personal information collected while the consumer was in California.
What Are Businesses Required to Do?
The CCPA requires businesses, in response to a demand by a consumer, to make certain disclosures, which must be reasonably accessible to consumers and updated at least every 12 months.
Although the CCPA includes many specific requirements, in general, businesses that collect consumer data must:
- Inform consumers about the categories of personal information they will collect;
- Inform consumers about the purposes for which these categories of personal information will be used;
- Provide notice if any new categories of personal information will be collected after the initial disclosure; and
- Inform consumers of their right to request the deletion of personal information and the limitations to that right.
Businesses that sell consumer data or disclose it for a business purpose must comply with the requirements listed above and provide the following information:
- A list of the categories of personal information they have sold over the preceding 12 months;
- A list of the categories of personal information they have disclosed over the preceding 12 months;
- A statement disclosing that consumer information may be sold; and
- A disclosure of consumers’ right to opt-out of the sale of their personal information.
Businesses must also provide a clear, conspicuous, and easily accessible link on their homepages and privacy policies enabling consumers to opt-out of the sale of their personal information. In addition, the CCPA requires businesses to disclose to consumers their right not to be discriminated against as a result of opting out. For children, there must be an express opt-in for their personal data to be sold. Upon a request by a consumer to delete the consumer’s personal information, the business must delete the information from its records and direct any service providers to delete the consumer’s personal information from their records as well.
Businesses must provide at least two ways for consumers to make requests for information, including, at least, a toll-free number, and if the business has a website, a web address. The business must deliver the information requested within 45 days at no charge to the consumer.
What Happens If My Business Violates the CCPA?
If regulators notify a business of a violation, it has 30 days to comply with the law before any penalty will be imposed. If the business does not resolve the issue within the 30-day deadline, the state of California can impose a hefty fine of up to $7500 per record. In addition, individuals affected by a violation of the CCPA can sue the business individually or as part of a class action for damages.
Give Us a Call
If you need help determining whether the CCPA or a similar law will impact your business and what your business needs to do to comply with the law, we can help. Please call our office to set up a consultation so we can discuss this law or any of your business’s other data privacy and protection obligations.
Like what you're learning?
Sign up for our free newsletter
Notes from the Chief Counsel's Desk
and get more legal insights sent directly to your inbox.
Sign up for our free educational event on
Legal Life Planning
to learn how you can protect your loved ones and assets when something happens to you.
This article is a service of Sky Unlimited Legal Advisory PC, Personal Family Lawyer®. We're not your traditional law firm, we stand apart from the rest by helping you make informed and empowered decisions on how to deal with your business throughout life and in the event of an emergency. We offer a complete spectrum of legal services, including a New Business Planning Session or an Existing Business Review Session, which includes a review of all the legal, insurance, financial, and tax systems you need for your business. You can begin by calling our office at (650) 761-0992 today or book online to schedule a Business Planning Session and mention this article to find out how to get this $950 session at no charge.
Having a will simply is not enough. It doesn't guarantee the care of your children if the unthinkable happens! See how we do it differently...
The strategies that are appropriate for protecting your assets are different for every family. Check out our proven process that gives you peace of mind...
Our unique legacy process gives your loved ones a precious gift - a lasting expression of your love. Find out what we offer with every plan...