Is Your Small Business Up-To-Date With The CCPA?
California is sometimes considered an incubator for the rest of the country as many ideas that start here eventually spread nationwide. The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, and though you may have initially ignored this legislation because your business isn’t located in California, it is useful to understand the basics of the the act. At the very least, it will inform you as to whether your business is actually impacted. Longer-term, however, it will prepare you if your state becomes the next to enact stricter data privacy regulations, or if legislation comes from the federal level.
What is the California Privacy Law?
Any U.S. business that mishandles the personal information of customers who live in California could be held liable if the California customer’s personal information is compromised in a data breach. This is true regardless of whether the business is located in California or elsewhere.
Unfortunately, many business owners are unaware of the CCPA. A survey conducted by ESET found that 44% of business owners had never heard of the law and just 12% said they knew whether or not the law applied to them. About one-third (34%) said didn’t know whether or not they should change how they capture, store and process customer data as a result of the law.
CCPA Small Business: The Size Threshold
There’s one silver lining to the CCPA: It only applies to businesses that are above a certain size threshold. Specifically, any business that has less than $25 million a year in revenue, possesses the personal information of fewer than 50,000 consumers, or derives less than 50 percent of its revenue from selling personal information is not subject to the CCPA.
Even if your business isn’t subject to the law, however, you should still to pay close attention to it. Data privacy has become a critical issue for many people when deciding which companies to do business with. Failing to protect your customers’ data could put your business at a competitive disadvantage against companies that take data protection more seriously.
“The CCPA provides small businesses with incentive and motivation to start thinking about the personal data processed and protected within their business environment,” said Matt Dumiak, the director of privacy services at CompliancePoint in a recent article published on Business News Daily.
Added Robert Cattanach, a partner at Dorsey & Whitney who helps clients navigate regulatory law: “California’s law will raise the bar significantly, and this won’t be the last time it’s raised as states seek to emulate the EU’s new GDPR. This measure is likely to increase litigation as more consumer rights are created and expanded.”
Don’t Make Assumptions
You can’t just assume that if your business revenue is less than $25 million the CCPA doesn’t apply to you. According to Clarity in Privacy, your business could easily meet the criteria of possessing the personal information of more than 50,000 consumers without you even realizing it. For example, if your website captures the IP addresses of 137 visitors every day, you could be considered to possess the personal information of 50,005 consumers (137 x 365) and thus be subject to the law.
Your business could also be subject if you provide services to a business that is subject to the law. In this scenario, the business that is covered by the law must create a contract governing your business’ relationship with its customers. This contract will likely prohibit any collection, sale or use by your business of its customers’ personal information unless it’s necessary for your business to perform services.
Businesses you work with might subject your company to new requirements as a result of the law. For example, if you’re a vendor to a business that’s subject to the CCPA, the business might place new cybersecurity requirements on your company. Additionally, they might allocate some of the costs associated with violations to your company or require your business to carry additional cybersecurity insurance.
Cybersecurity experts recommend that vendors be prepared to delete from their records consumer personal information they received from businesses subject to the CCPA.
The CCPA Explained
The CCPA protects a number of specific consumer rights as they relate to the sharing of personal data, including the following:
- The right to know all data collected on them — including what categories of data and why it is being acquired — before it is collected, along with any changes to its collection.
- The right to refuse the sale of their personal information.
- The right to request deletion of their personal data.
- The mandated right to opt in before the sale of the personal information of children who are under 13 years of age.
- The right to know the categories of third parties with whom their personal data is shared, as well as those from whom their data was acquired.
- The right to enforcement by the Attorney General of the state of California.
- A private right of action should a data breach occur to ensure that companies keep their customers’ personal information safe.
If a customer makes a request to a business subject to the law that’s related to their personal information, the business will have 45 days to respond to the request. Businesses subject to the law will be liable for up to $750 per incident, per customer if any damages occur due to a data breach suffered.
Other States May Follow Suit
The CCPA could be just the first of many similar state laws designed to protect consumers’ personal information. Similar legislation has been introduced in Texas, New York, and Washington. And new legislation recently went into effect in Nevada requiring businesses to offer consumers the right to opt out of the sale of their personal information.
“It’s clear that businesses are confused about this regulation; they don’t know whether they are subject to the law and what they need to do to become compliant,” said Tony Anscombe, a global security evangelist at ESET, in the Business News Daily article. “The penalties will be severe, and the financial harm could be grave to these firms.”
Start Preparing Your Small Business for the Next CCPA
With the CCPA recently having gone into effect, now is the time to start an audit of how you handle your customer data, as well as time to start thinking about how your business could be impacted and making preparations for future legislation. Assume this is not an if scenario, but when.
In particular, you should focus on the “reasonable security” component of the law by making sure your business has adequate policies and procedures in place to guard your customers’ personal information. This includes strong endpoint protection and data encryption throughout the organization.
Visit the Californians for Consumer Privacy website to learn more about the California Consumer Privacy Act.