California Consumer Privacy Act
At the start of this year, California enacted a new privacy law, the California Consumer Privacy Act (CCPA), that may affect some Pennsylvania businesses.
Companies subject to the law must now be transparent about what online users’ information is collected, stored, and sold to third parties. Additionally, consumers must be allowed to opt-out of having their data collected, stored, or sold. This means that patrons can request a company to delete all data collected on them. Businesses are also prohibited from charging consumers different prices or refusing service if the consumer chooses not to share data.
If in violation of the law, a company has 30 days to make the necessary changes. If they are unable to follow the law, the business could face civil penalties of $100-$750 per consumer per incident. Thus, consumers who have their data mistreated can recover monetary damages from the company that violated the law.
Furthermore, the CCPA has a very broad definition of personal data. Most information relating to a real person is protected. For instance, aliases, location, browsing history, and inferences from data such as psychological characteristics, tendencies, and intelligence are protected. Thus, almost any snippet of information could be considered another incident that could result in even more fines.
The CCPA went into effect on January 1, 2020. But, businesses should have started documenting data collection in 2019, as the law requires users to be able to request all information that has been stored on them for the past year.
However, only some companies will be subject to the law. First, the business must serve California residents. Second, the business must also make at least $25 million in annual revenue, or collect data on over 50,000 people, or make half of the company’s yearly revenue on the sale of personal data. If both of these prongs are met, the company must comply with the CCPA or face fines and potential other liabilities.
Nevertheless, even companies that are not subject to the law might want to comply with the requirements. Privacy laws are becoming more commonplace. In 2018, the European Union enacted a similar law, the General Data Protection Regulation (GDPR), which has many similar requirements as those now required by the CCPA.
More states could follow the trend and enact similar laws. Thus, a company that begins to organize and monitor the data that is collected now could be ahead of the game. Additionally, it may be best for your company to start to meet the requirements of the law just in case your business expands.
DISCLAIMER: This blog is meant for informational purposes only and does not constitute specific legal advice or create an attorney-client relationship. Readers should discuss their specific situation with an attorney.