Will Your Business Be Affected By the New California Privacy Law
- January 15, 2020
- / Drew Sorrell
- / Articles,Cybersecurity & eDiscovery
By: Drew Sorrell
The first communication between two computers occurred on October 29, 1969. One computer was located at UCLA and the other at Stanford. One communicated to the other “LOGIN” and it promptly crashed after receiving “LO”. From this humble beginning, the Internet was born. It wasn’t until the early 1980’s that networks were assembled and thereby the first modern-ish version of the Internet. And, of course, the World Wide Web — websites and hyperlinks — was not invented until 1989. The law has been trying to catch up ever since.
The Internet has been revolutionary in so many ways, not the least of which is giving companies access to customers’ information and chronicling everything about their digital footprint. That is why the California Consumer Privacy Act (CCPA) was created, and why all of us need to understand its implications.
What makes the CCPA, which goes into effect on January 1, 2020, so extraordinary? First, it may be the first privacy law potentially shifting ownership of a consumer’s information back to the consumer. Second, it requires transparency on the part of the companies gathering the consumer information. Third, it holds companies accountable for protecting your personal information. Fourth, and perhaps most important for our readers, the CCPA may have a bigger impact than you think on Florida (or other non-California) companies.
If you operate a business that “does business” in California, either physically or on the Internet, only one of the answers to these questions needs to be “yes” for the CCPA to apply:
- Do your annual gross revenues exceed $25,000,000?
- Do you buy, receive, sell, or share personal information of over 50,000 California consumers or households?
- Do you derive at least 50% of annual revenue from selling California consumers’ personal information?
Notably, the California Attorney General may not bring any enforcement actions until the earlier of six months after promulgating regulations defining the law or July 1, 2020.
This law is astonishing because the current and general model in the US is that corporations own our information — with some caveats — and generally may do anything they want with it — with some caveats. The CCPA in contrast effectively places ownership and control of consumer data in the hands of the consumer. It does so by affording consumers the right to:
- Clear and understandable notice of what information is being collected and what will be done with it;
- The right to know how and to whom data is sold;
- The right to correct and indeed the right to require the corporation to delete or “forget” that information;
- Finally, consumers may not be discriminated against if they opt out of their information being sold (corporations may charge a different fee or offer a different service if the corporation can show it is reasonably related to the loss in value of the consumer’s information)
But why do we care in Florida? The meaning of “operating” in California on the Internet via the World Wide Web is quite broad. Thus, if your company is reaching into California via its website to sell goods or services, you should be concerned. Moreover, from an operations perspective, can a corporation effectively provide rights to one class of consumer while not providing those same rights to another class? (Legal readers: Is it an unfair and deceptive trade practice to provide a right to one consumer and not to another?) All of the forgoing of course necessitates careful consideration of your online platform and whether it must or reasonably should comply with the CCPA.
If you have any questions or consideration, contact Drew Sorrell or any member of the Lowndes Privacy and eDiscovery Group.