CCPA for Small Business: Considerations from the New California Privacy Law
The California Consumer Privacy Act (CCPA) has the potential to revolutionize data privacy across the United States as it prompts small business and others to make changes to how they handle personal information. However, unlike the European Union’s General Data Protection Regulation (GDPR) which applies to all organizations regardless of their size across much of its requirements, the new California privacy law contains a carve out for small businesses that do not meet certain thresholds specified in AB375 and maintained unchanged in SB1121.
Despite the exclusion, small businesses need to think carefully about the CCPA law’s requirements for privacy practices and its implication for their organization. Data privacy is becoming an important issue for many consumers and businesses that decide they need not comply may find themselves at a disadvantage to larger competitors which win customers on the basis of their enhanced privacy protections. It has become well accepted that privacy is a key competitive advantage for some businesses. If small businesses cede the space to their larger competitors because regulators thought they could not afford it, they may find that they are losing customers to them. Numerous studies have shown that privacy protections are an important factor in buying decisions of consumers and businesses.
The benefit of being excluded from the law’s terms is obviously that the organization does not need to increase its compliance spending in order to meet the demands of the law. It also does not on its face fall within the scope of the new private right of action for consumers against businesses that fail to implement reasonable procedures and practices.
So does the CCPA apply to your business or do you need to consider whether you are nonetheless going to voluntarily offer some of its protection? Well, the CCPA largely applies to a “business” which is defined in section 1798.140 of the law. In order to be considered a covered business, the organization needs to have annual gross revenues in excess of twenty-five million, possess the personal information of 50,000 consumers, or derive 50 percent or more of its annual revenue from selling consumers’ personal information.
There are some areas of uncertainty in the law as California has not clarified whether the annual revenue and personal information possessed only counts California sources or if it includes all sources from the business and there only needs to be a handful from California in order to qualify. The California Attorney General may issue regulations on this point as part of its rulemaking process later in the year. In the interim, it is best to assume that any business which has a substantial presence in California and meets the required amounts globally will be required to comply and begin preparations.
It is the data collection threshold of 50,000 people that is expected to catch many small businesses that do not have $25 million in revenue. If you are collecting IP addresses on 137 visitors to your website a day, then you would have the requisite amount of data collection over the course of a year to be considered a business under the CCPA.
For small businesses that are not explicitly covered by these terms, there is still the possibility that some of the law’s requirements will nevertheless apply to your organization. The primary way this will happen is if your company is considered a service provider by a larger business that is covered by the law.
If your company works with larger businesses and is considered their service provider, the larger company will need to put in place a contract to govern your relationship with the consumers. It will in all likelihood prohibit the further collection, sale or use of personal information from the consumer except as necessary to perform the business purpose.
Companies that you work with may also push out new requirements as a result of the cybersecurity provision. Organizations will likely impose new cybersecurity requirements on their vendors. After all, the law requires them to face potential statutory damages of between $100 and $750 if they do not implement reasonable security procedures and practices. They also may decide to allocate some of the potential associated costs with violations to the vendor. This is reportedly happening with increased frequency as businesses are requiring their vendors to hold additional insurance as part of the allocation of these risks.
Organizations also need to be prepared to delete consumer personal information that they receive from the business from their records. Businesses covered by the CCPA are required to request vendors delete the personal information of a person when an appropriate data subject access request is completed.
Small businesses may not face all of the compliance burdens of a large business under the California Consumer Privacy Act but many small businesses must nevertheless be prepared to enhance their privacy protections as the law comes into effect at the beginning of next year. From working as a service provider to companies that must comply with the CCPA, to dealing with consumers that will expect more from businesses on privacy regardless of their size, the new California privacy law will change the landscape for all businesses, including small businesses that fall below the threshold of the law’s requirements.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.