Many businesses – especially online businesses and content creators, such as bloggers, vloggers, e-distributors and e-book authors – rely on collecting email addresses and other customer information to grow their passion project into a full-time enterprise. And the beautiful thing about the Internet is those businesses can reach beyond their local community to help consumers across the country. Unfortunately, these same characteristics place online businesses squarely in the path of a new California privacy law.
HELLO, CALIFORNIA CONSUMER PRIVACY ACT
Your first instinct may be that if your business isn’t based in California, you can safely ignore one more crazy law coming out of the Golden State (I say this as a former Californian). The problem is that California is not necessarily ignoring you.
Starting January 1, the most far-reaching privacy law in the nation goes into effect, creating the potential for huge fines and liability risks. The California Consumer Privacy Act of 2018 (CCPA) represents a massive shift in the way that personal information will need to be collected, used and protected. The good news is that the law has some safeguards to exempt non-California companies and small businesses from the most onerous of the requests. The bad news is those safeguards may not apply to businesses with an online presence and even a moderate customer list.
A word of warning before we begin – due in part to the way it was written and passed (Google it if you’re interested), the CCPA is incredibly vague in places and is actually still in the process of being fine-tuned by the legislature and the California Attorney General as to what some of it even means. I’ve attempted to give a general overview here, but the devil is in the details, so if it sounds like the CCPA may apply to you, please check in with your favorite attorney to figure out exactly what your business needs to do.
WHICH ONLINE BUSINESSES NEED TO WORRY?
First and foremost, you need to know if the new law applies to you. If it does, you have some work to do. If it doesn’t, you can go back to ignoring the California legislature – for now. But as your business grows and changes, keep the CCPA in the back of your mind so that you don’t accidentally wander into its jurisdiction without planning ahead. And of course, there’s always the chance that other states or Congress sees what California did and decides to adopts it themselves.
So who does the CCPA apply to? Think of it as a three-step checklist – if you meet all three criteria, the CCPA applies to you regardless of where your business is located. Generally speaking, the three criteria are:
1. You’re a for-profit business;
2. You “do business in California”; and
3. Any of the following describes your business:
· You have annual gross revenues (not profits) in excess of $25 Million;
· More than 50% of your annual revenues comes from selling consumers’ personal information; or
· You annually buy, receive, sell, and/or share personal information of 50,000 or more California consumers, households, or devices (in any combination).
Let’s take each of these in turn. First, whether you are a for-profit business is probably self-explanatory (and no, it doesn’t turn on how much profit you’re making) – if you’re really not sure, check with your attorney or accountant.
Second, whether you “do business in California” is – like most of this law – a little unclear, but California seems to be taking a pretty broad view on this. If you are registered with California to do business or pay California taxes, you’re almost certainly covered. Even if you don’t, the statute only excludes businesses “if every aspect of … commercial conduct takes place wholly outside of California,” which potentially means that if any part of capturing or using a consumer’s information took place in California, it counts. That likely includes collecting information from a Californian while they are in California, even over the internet or phone.
The third criteria is the one that will give many small businesses a false sense of security. The average blogger probably isn’t pulling in $25 million in revenues (if you are, congrats!), and if you primarily make your money selling data, the CCPA likely isn’t coming as any surprise. But the third item has a number of non-obvious “gotchas” for even small online businesses.
At first glance, 50,000 may seem like a big number. The problem is in how broadly the statute defines “personal information,” and that any combination of information adding up to 50,000 people, households and/or devices in a year gets you across the threshold. “Personal information” is not just sensitive information like names, birthdates and social security numbers. It’s essentially anything that can reasonably linked back to a particular consumer or household. Names, telephone numbers, email addresses, cookies, IP addresses, geolocation data, Facebook profiles – even customer profile information that you assemble yourself, like purchase history, counts towards the total. So, if your website is automatically capturing information such as cookies or IP addresses, you can get to 50,000 with just 137 unique visitors a day. Even if that doesn’t put you over the top, consider the number of other pieces of information you collect during the course of the year, then add it to your website totals and see what it amounts to.
“Consumer” is also non-intuitively defined as any California resident – not just customers. Information about your own employees (if they are California residents) counts, and if you work with California businesses (e.g., vendors or distributors) and track contact information for their personnel, you may be well on your way to 50,000.
Other potential traps are sales leads and email lists. If you acquire or trade a list of potential customers, that counts towards your total, as does collecting email addresses (or any other personal information) for newsletters, email blasts or social media ads.
If you think the CCPA applies to your business - or even may apply in the future - my next post will cover what the CCPA actually requires you to do and what you can do next to prepare.