California’s new Consumer’s Privacy Act (“CCPA”), which came into effect on January 1, 2020, is the most far-reaching privacy law enacted in the United States by either the federal government or a state government. It mimics, to a certain extent, the GDPR privacy laws of the European Union.
The CCPA is quite difficult and onerous to comply with. First you have to determine if it applies to your website. If your website has customers that are California residents, then you may have to comply with the CCPA. It doesn’t mean that just companies located in California must comply, rather anyone who has a website that has customers in California whom provide 25% of the company’s total revenue are liable if they do not comply. And if your company pays more than 25% of its costs/compensation to California residents, independent contractors or other companies you may also be liable if you do not comply with CCPA. In summary, if you “do business” in California then you must comply with the CCPA. You can obviously “opt out” of compliance but you would need to block all internet traffic that is visiting your site from an IP addresses located in California. This is what many US companies do with regard to the GDPR in the European Union. Rather than complying with EU law, they simply do not allow visitors to the website from any of the twenty-six (26) European Union member countries.
The next step is to determine when you met the other initial thresholds of the CCPA.
The CCPA applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least ONE of the following thresholds:
- has annual gross revenues in excess of $25 million;
- buys, receives, or sells the personal information of 50,000 or more consumers or households;
- Earns more than half of its annual revenue from selling consumers’ personal information.
You may want to stop reading here, but don’t. For some the threshold of 50,000 consumers per year is very easy to meet. From an internet traffic standpoint, if your website is receiving an average of 137 unique visitors per day, then it is quite possible that the CCPA applies to your business. If your website utilizes any type of web traffic analysis software or application – ie., Google Analytics – then you need to comply with the CCPA. Google Analytics captures information from your visitors through the use of cookies and shares that information with Google directly.
If you have an email capture form on your website where you ask visitors for the personal identifying information such as name, phone number or email address, you also receive information on your visitors that might cause CCPA to be applicable to your business.
If your website meets just one of the three thresholds then the CCPA applies to your business and your visitors are protected under the CCPA.
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
The question then becomes what happens if my company does not comply with the CCPA?
The two most severe penalties are;
- Companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper, subject to an option of the California Attorney General’s Office to prosecute the company instead of allowing civil suits to be brought against it (Cal. Civ. Code § 1798.150).
- A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation (Cal. Civ. Code § 1798.155).
For example, if your website’s data is breached, and you have 500 California residents who are victims of the breach you may be ordered to pay more than $375,000 in restitution to all of those California residents.
Obviously, with the recent data breaches by numerous adult companies (Ashley Madison, Cam4, ImLive) it is clear that not enough is being done to protect performer’s and client’s private information. Failure to protect such information and to not comply with California’s CCPA can lead to the financial destruction of your business.
If your website does not have a current Privacy Policy, it is absolutely required by California law. If you do have one, it is now time to update that policy with the new requirements imposed by the CCPA. You have until June 30, 2020 to implement and post your new policies.
