Article Detail

News & Knowledge

Will Your Business Be Affected By the New California Privacy Law

January 15, 2020

By: Drew Sorrell

The Fine Print

The first communication between two computers occurred on October 29, 1969. One computer was located at UCLA and the other at Stanford. One communicated to the other “LOGIN” and it promptly crashed after receiving “LO”. From this humble beginning, the Internet was born. It wasn’t until the early 1980’s that networks were assembled and thereby the first modern-ish version of the Internet. And, of course, the World Wide Web — websites and hyperlinks — was not invented until 1989. The law has been trying to catch up ever since. 

The Internet has been revolutionary in so many ways, not the least of which is giving companies access to customers’ information and chronicling everything about their digital footprint. That is why the California Consumer Privacy Act (CCPA) was created, and why all of us need to understand its implications. 

What makes the CCPA, which goes into effect on January 1, 2020, so extraordinary? First, it may be the first privacy law potentially shifting ownership of a consumer’s information back to the consumer. Second, it requires transparency on the part of the companies gathering the consumer information. Third, it holds companies accountable for protecting your personal information. Fourth, and perhaps most important for our readers, the CCPA may have a bigger impact than you think on Florida (or other non-California) companies. 

If you operate a business that “does business” in California, either physically or on the Internet, only one of the answers to these questions needs to be “yes” for the CCPA to apply: 

  1. Do your annual gross revenues exceed $25,000,000?
  2. Do you buy, receive, sell, or share personal information of over 50,000 California consumers or households?
  3. Do you derive at least 50% of annual revenue from selling California consumers’ personal information? 

Notably, the California Attorney General may not bring any enforcement actions until the earlier of six months after promulgating regulations defining the law or July 1, 2020. 

This law is astonishing because the current and general model in the US is that corporations own our information — with some caveats — and generally may do anything they want with it — with some caveats. The CCPA in contrast effectively places ownership and control of consumer data in the hands of the consumer. It does so by affording consumers the right to:

  • Clear and understandable notice of what information is being collected and what will be done with it;
  • The right to know how and to whom data is sold; 
  • The right to correct and indeed the right to require the corporation to delete or “forget” that information; 
  • Finally, consumers may not be discriminated against if they opt out of their information being sold (corporations may charge a different fee or offer a different service if the corporation can show it is reasonably related to the loss in value of the consumer’s information)

But why do we care in Florida? The meaning of “operating” in California on the Internet via the World Wide Web is quite broad. Thus, if your company is reaching into California via its website to sell goods or services, you should be concerned. Moreover, from an operations perspective, can a corporation effectively provide rights to one class of consumer while not providing those same rights to another class? (Legal readers: Is it an unfair and deceptive trade practice to provide a right to one consumer and not to another?) All of the forgoing of course necessitates careful consideration of your online platform and whether it must or reasonably should comply with the CCPA. 

If you have any questions or consideration, contact Drew Sorrell or any member of the Lowndes Privacy and eDiscovery Group. 

This article is informational only. You should consult an attorney before acting or failing to act. The law may change rapidly and no warranty is given. LOWNDES DISCLAIMS ALL IMPLIED WARRANTIES AND WITHOUT LIMITATION, ANY WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. ALL ARTICLES ARE PROVIDED AS IS AND WITH ALL FAULTS. Consult a Lowndes attorney if you wish to establish an attorney/client relationship.

Drew Sorrell's practice focuses on complex commercial issues, relating to both litigation and contract/policy drafting.

Drew has years of experience litigating business matters, intellectual property/patent infringement disputes, data breach/privacy issues, wire fraud (spoofing/spear phishing), business torts/disputes, insurance coverage, personal injury and employment litigation. Likewise, he has significant experience drafting and negotiating software licenses (SaaS), Internet service provider agreements, data privacy/breach policies and procedures, employment/services agreements as well as the indemnity and insurance coverage related to those agreements.

Initially, Drew began his legal career as a judicial clerk to Senior United States District Judge John H. Moore II, in Jacksonville, Florida, and then practiced with an AmLaw top 10 firm in Manhattan primarily in their litigation department. After spending some time as an assistant county attorney responsible for litigation, he joined Lowndes and is currently chair of the firm’s multi-discipline Cybersecurity, Privacy & eDiscovery Group.

A founding member of the Sedona Conference Group 11 (Privacy/Data Security), Drew is frequently asked to speak and write on legal and ethical issues arising from technology, including unfair and deceptive trade practices, data breach, privacy, data governance, and technology contract drafting. He is also currently serving as chair of the Orange County Bar Association Intellectual Property Committee.

Drew has argued to the United States Court of Appeal for the Eleventh Circuit, at the federal level, and the Fifth District Court of Appeal at the state level. He is admitted to The United States Supreme Court Bar, as well as the Florida, New York and District of Columbia Bars. He is admitted to practice before all federal district courts in Florida as well as the Southern District of New York.

Born in Florida, Drew roots for his adopted football team—the FSU Seminoles (because neither Rollins nor George Washington has a football team). He is a proud father of two sons who play basketball and soccer, make great grades and generally keep him very busy in his spare time.

Meritas Law Firms Worldwide logo
Do Your Part Logo