You may have heard that California has a new privacy law. The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020. It covers large(r) businesses in California. Covered businesses have to give “consumers” four key rights:
- The right to know their privacy practices regarding how they collect, use, share, and sell consumers’ personal information.
- The right to demand that businesses delete personal information. There are some exceptions in the law.
- The right to opt out of the sale of personal information.
- The right not to be discriminated against for exercising any of these rights.
Here’s what you may not have heard about CCPA. This is a sample of three surprising aspects of the law. (There are more.)
- Under CCPA, “consumers” are defined as any California residents, not just California residents buying products and services for personal, family, or household purposes. What that means is that covered businesses not only have privacy obligations to their customers, they also have privacy obligations to their employees. Covered businesses must now provide privacy notices to their employees.
- The California Consumer PrivacyAct is not just about privacy. It also has an important data security section. That section creates new potentially huge and business-ending liabilities if a covered business has data breach. We expect many more data breach lawsuits with the new law. As a result, businesses across California are scrambling to secure their personal informationand tighten up their data security policies, practices, and technology. Here’s one way to begin considering your risk. If you had to hand a regulator a copy of your company’s data security policy today, could you do it? Many businesses have no formal security program or policy. Now that we have CCPA, they are taking a big risk.
- Depending on your type of business, it’s not hard to fall under CCPA. Your business is covered if it has more than $25 million in annual gross revenue; it has personal information of 50,000 or more California residents, households, devices, or any combination of them; or it receives 50% or more of its revenue from the sale of personal information. You may or may not have $25 million in revenue, but if you have 137 unique visitors to your website every day and you collect IP addresses because you use website analytics tools, you may fall under CCPA. 137 isn’t a large number for popular websites.
I am a shareholder with Silicon Valley Law Group and help clients start and update CCPA and other privacy and security programs.
If you would like to find out how CCPA affects your business or want privacy or security help to comply with CCPA, please contact me by completing the web form here.