By Associate Attorney Danielle Nodar
The California Consumer Privacy Act (CCPA), the strictest U.S. law regulating consumer data privacy, became effective on January 1, 2020. Even though the CCPA protects California consumers only, North Carolina business owners with E-Commerce businesses should take note because the law may apply to their business. The law applies to a business “doing business in California,” which includes selling goods or services to California residents even if the business is not physically located in California.
The CCPA gives California consumers certain rights to their data privacy, including the right to know what kinds of personal data a business collects, uses, shares, or sells to third-parties. Consumers will also have a right to request that a business delete any personal data kept on the consumer or prohibit the sale of personal data to third parties. The CCPA also protects a consumer with guarantees that a business will not penalize the customer with higher prices or lower levels of service if they request information regarding their data or data deletion.
A business must comply with the CCPA’s data privacy requirements if it collects and sells consumer personal information of a California resident or discloses personal data for a business purpose. “Personal information” is broadly described as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.” This includes many identifiers such as name, address, social security number, email address, IP address, and geolocation data.
Since CCPA doesn’t just apply if a company sells data, it is important to understand how “business purpose” is interpreted under the statute. The CCPA defines “business purpose” as “the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.” Some examples include 1) to fulfill the reason the information was provided (i.e. to provide the requested product or service); 2) administer websites; 3) perform market research; 4) advertise products and determine effectiveness of such marketing; 5) internal research for technological and business development; 6) debugging and repairing errors on websites; and 7) detecting against security incidents, including fraudulent or illegal activity.
Luckily, there is an exception for small businesses. For CCPA to apply, businesses must meet at least one of the following requirements: 1) Businesses with a gross annual revenue of $25 million or more; or 2) Businesses that possess personal data from 50,000 or more individuals, households, or devices; or 3) Businesses with at least 50% of their annual revenue earned from the sale of personal data.
If you believe that you may need to make your business CCPA compliant, contact Jesson and Rains for help with understanding and complying with these new data privacy regulations.
Subscribe to our newsletter.