At the start of this year, California enacted a new privacy law, the California Consumer Privacy Act (CCPA), that may affect some Pennsylvania businesses.
Companies subject to the law must now be transparent about what online users’ information is collected, stored, and sold to third parties. Additionally, consumers must be allowed to opt-out of having their data collected, stored, or sold. This means that patrons can request a company to delete all data collected on them. Businesses are also prohibited from charging consumers different prices or refusing service if the consumer chooses not to share data.
If in violation of the law, a company has 30 days to make the necessary changes. If they are unable to follow the law, the business could face civil penalties of $100-$750 per consumer per incident. Thus, consumers who have their data mistreated can recover monetary damages from the company that violated the law.
Furthermore, the CCPA has a very broad definition of personal data. Most information relating to a real person is protected. For instance, aliases, location, browsing history, and inferences from data such as psychological characteristics, tendencies, and intelligence are protected. Thus, almost any snippet of information could be considered another incident that could result in even more fines.
The CCPA went into effect on January 1, 2020. But, businesses should have started documenting data collection in 2019, as the law requires users to be able to request all information that has been stored on them for the past year.
However, only some companies will be subject to the law. First, the business must serve California residents. Second, the business must also make at least $25 million in annual revenue, or collect data on over 50,000 people, or make half of the company’s yearly revenue on the sale of personal data. If both of these prongs are met, the company must comply with the CCPA or face fines and potential other liabilities.
Nevertheless, even companies that are not subject to the law might want to comply with the requirements. Privacy laws are becoming more commonplace. In 2018, the European Union enacted a similar law, the General Data Protection Regulation (GDPR), which has many similar requirements as those now required by the CCPA.
More states could follow the trend and enact similar laws. Thus, a company that begins to organize and monitor the data that is collected now could be ahead of the game. Additionally, it may be best for your company to start to meet the requirements of the law just in case your business expands.
For businesses who sell items online, or collect information from customers, the best way to inform your customers of your data collection and usage practices is through a privacy policy. Even if GDPR and CCPA don’t apply to your business, it is important to have one to keep consumers aware of what is happening with their information and can also help limit a company’s potential liabilities to consumers if data is stolen. It’s one simple step a company can make to be more prepared in the digital age.
Moreover, as privacy becomes a requirement under the law, consumers will become more aware of how businesses treat their information. So, patrons may be less likely to want to engage with an enterprise that is not upfront about what data is collected and how it is used. So while many small businesses in Pennsylvania don’t have to worry about CCPA compliance right now, it is still a good time to think about your online privacy policy and terms if you are selling products or collecting information online.
If you need help with understanding the new law or having a privacy policy drafted for your business (or have an audit and update of your current one), don’t hesitate to reach out to us!
DISCLAIMER: This blog is meant for informational purposes only and does not constitute specific legal advice or create an attorney-client relationship. Readers should discuss their specific situation with an attorney.