Is Your Virginia Business Ready for the California Consumer Privacy Act?
Companies around the world are paying attention to the wave of data privacy laws emerging from the European Union and the United States. California is the first state to introduce significant data privacy regulations for handling consumers’ personal information, regardless of whether the company operates in the state or directly targets California residents. Many businesses not physically based in California may be unaware that the California Consumer Privacy Act (CCPA) likely applies to them (so does Nevada’s new data privacy law, but we’ll deal with that in an upcoming post).
Here’s a high-level overview to help you decide whether you need to take action and prepare for CCPA before enforcement begins on July 1, 2020.
How to Determine if Your Business is Subject to the CCPA
The CCPA applies to any business around the world (including service providers and third-party vendors) that handles personal information (“PI”) of California residents. The CCPA defines a “business” as:
- A for-profit, private sector entity or sole proprietor; that
- Does business in California (more on that below); and
- Collects California residents’ personal information (“PI”), either directly or through another entity acting on its behalf; and
- The business determines the purposes and means of processing personal information.
It’s also possible for an entity – let’s say a non-profit organization – that doesn’t directly meet the definition of a “business” to be considered “indirectly” subject to the CCPA if it is related to an entity that is “directly” covered. So, for example, CCPA compliance is required of a non-profit organization that has common branding with a subsidiary or parent company that is covered by the CCPA. In that case, the non-profit also needs to prepare for CCPA compliance.
“Doing business” in California is a fact-based question that is not defined in California law. This blog post isn’t intended to cover every potential fact scenario. But, if your business has employees in California, a satellite office in California, owns real estate there, holds any kind of special license or permit from California, or has regular/ repeat customers in California then you almost certainly are “doing business” in California and CCPA business requirements will impact you.
The CCPA may also apply to online businesses with no physical presence in the state.
For businesses outside of California, the CCPA applies to them if they do business in California and any ONE of the following is true:
- The business has annual gross revenue over $25 million; or
- The business receives, sells, or shares the personal information (PI) of 50,000 or more California consumers, households, or devices annually (137 daily hits on your website from Californians equals 50,005 annual collections of PI); or
- The business derives half or more of its annual revenue from selling consumers’ PI.
These thresholds are low and easily crossed—especially the second and third one. If you’re not sure whether the second threshold applies, check the Google Analytics for your website. If your site gets 137 daily hits from Californians, then the second threshold is triggered and the CCPA applies to your business if you have business relationships in California. Also, the CCPA’s definition of “selling” is very broad and companies that transfer PI to third parties may be “selling” that PI. Virginia businesses that market directly to California residents or have customers there are almost certainly subject to the CCPA.
Individual Rights and Business Requirements:
- California residents have eight new privacy rights.
- Businesses have eight new corresponding obligations.
- Businesses also have three new obligations related to processing PI.
- Californians have a private right of action against businesses for data breaches in certain circumstances.
- California’s Attorney General can pursue enforcement actions.
- The AG’s office keeps a portion of all fines levied under the CCPA.
- For unintentional violations, the AG can seek up to $2,500 per violation. That cap rises to $7,500 for intentional violations.
New Business Requirements for Handling Personal Information Under the CCPA
When the CCPA goes into effect on Jan. 1, 2020, Californians have the right to know what PI a business collects, the categories of sources from which that information is collected, the business purposes for collecting or selling the PI, and the categories of third parties with which the PI is shared, sold, or disclosed.
Businesses must provide the requested PI in a readily discernible format, honor consumers’ decision to prohibit the sale of their PI, and not discriminate against consumers who exercise their CCPA rights. The CCPA also imposes new mandates regarding employee training, creating methods for consumers to assert their CCPA rights, and inclusion of contract language regarding PI with third parties.
Unlike Virginia law, the CCPA’s definition of PI is expansive and includes any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The definition includes IP addresses, purchase histories, internet activity (including search activity), and any consumer profile. Fortunately, CCPA amendments in October excluded de-identified and aggregate information from the CCPA’s definition of PI so, to combat the broad definition of PI, businesses may choose to restructure their data inventory, into aggregated data and de-identified information.
Think your business might be subject to the CCPA?
Dunlap Law can help your Virginia or DC business understand and adapt to the CCPA, Virginia data privacy law, and other data privacy laws nationwide. We closely track data privacy legal developments so you don’t have to. Call for a consultation today.
Dunlap Law is a SWaM-certified law firm in Richmond, Virginia and the only B Corp certified law firm in Virginia or DC. Tricia Dunlap and Tess Lynch hold the Certified Information Privacy Professional (CIPP/US) credential from the International Association of Privacy Professionals.