Updated: Jul 15, 2020
By Daniel Garcia
Small business owners are facing many challenges as a result of the pandemic. They are dealing with the loss of business, keeping enough employees on their payroll, and other financial burdens, as well as the challenge of staying up-to-date with the pandemic-related safety regulations enacted by the federal, state, and local governments. The nation adjusted rapidly to the stay-at-home orders and millions moved almost all aspects of their lives online, including work, school, socializing, and general day-to-day activities. As the nation begins to move towards a post-pandemic era, small business owners begin to see the restrictions ease up and are excited to see the light at the end of this dark tunnel. Yet, another obstacle stands in their way. Because of the large influx of consumers moving all their interactions online, many small businesses may now have to comply with the California Consumer Privacy Act (CCPA), a new privacy law. The Attorney General will begin enforcement of the CCPA on July 1st, 2020, which means that many small business owners may have less than a month to either comply or face the possibility of being fined. Small businesses like restaurants, mechanic shops, hair stylists, coffee shops, and many others may be subject to the requirements of the CCPA.
What is the CCPA
One of the most protective acts passed by a state, the CCPA's goal is to give consumers the right to control their personal information collected by businesses. The California Legislature passed the CCPA in 2018 and it became law on January 1, 2020. The CCPA requires certain businesses to take steps that will effectively give the consumer control over their personal information (names, email addresses, numbers) that a business collects. Aimed at protecting residents of California, it can also apply to businesses that do not have a physical office, store, or residence in California. For example, a purely online business that collects the personal data of California Residents, while in California, may have to comply with the CCPA. It is estimated that the CCPA is going to protect $12 billion worth of personal information used for advertising in California each year.
What businesses must comply with the CCPA?
How does a small business know if the CCPA applies to them? A business will be required to comply with the CCPA if it conducts business in California, satisfies one of the three requirements below, and collects the personal information of California residents that it has access and control to.
First, what is a business under the CCPA? A business is any sole proprietorship, partnership, LLC, corporation, or any other legal entity that does business in California. To qualify as conducting business in California, the business must meet one of the following criteria:
1. Engage in any transaction for financial gain within California,
2. Be organized in California,
3. Have California sales, property, or payroll which exceed the amounts described here.
Second, for a small business to fall under the requirements of the CCPA, one or all of the following must be true:
1. Its gross annual revenue is more than $25 million (including all revenue, not just its net profit),
2. It buys, sells or receives the personal information of 50,000 or more consumers (can be alone or a combination of buying, selling or receiving personal information), households or devices; or
3. It receives 50% or more of its annual revenue from selling consumer’s personal information.
In addition to meeting one of the three requirements above, a small business must also collect personal information (which is detailed below) of California residents and control how the information is processed and stored. All three criteria above are determined annually, which means that the gross revenue, personal information sold, bought, or received and revenue received from selling consumer personal information resets at the start of each year.
What does the CCPA require of businesses?
Without getting into too much detail about all its requirements, the CCPA gives consumers five main rights that businesses must acknowledge, if applicable. The consumers have a right:
1. To request what personal information the business has collected and the categories of the information that has been collected. They also have a right to know how that personal information is being used.
2. To request a copy of the information that has been collected by the business.
3. To request that any personal information collected by the business be deleted.
4. To request that the business does not sell the consumer’s personal information or give the information to another business for a business purpose.
5. To be free from discrimination based on exercising the rights above.
It is important to note that the list provided is not exhaustive of the rights granted to customers but is simply an overview of the main requirements. If you believe your business may have to comply with the CCPA, you can visit Legalucy to help identify any potential legal issues or visit any one of the firms listed at the end of this article.
Businesses that are required to comply with CCPA must also train their employees on all the requirements of the CCPA and on how to direct the consumers to exercise their right if the employee is handling the requests about the business privacy practices or its compliance with the rules.
Failing to meet these requirements of the CCPA can cause a business to receive a penalty from the Attorney General of up $7,500 for each intentional violation and up to $2,500 for each unintentional violation, a costly mistake for failing to comply. A consumer may also recover from the businesses an amount from $100 to $750 for breaches in their security that cause the consumer’s data to be stolen or disclosed.
What exactly is “personal information”?
How does a small business owner know whether or not they are collecting personal information? The CCPA is very broad when it comes to what is classified as personal information. Generally, names, addresses, and email addresses are all types of personal information that are described in the CCPA. However, there are more specific types of information that a small business owner might not be aware of. Here are some examples:
1. “Biometric information” including DNA, fingerprints, retinal images, palm scan, and voice recordings;
2. Visual information; and
3. Internet data, such as IP addresses, browsing history, and any information regarding a consumer’s interaction with the small business owners’ website, app, or advertisement.
There are many more specific and complex types of personal information that may be
collected, which can easily cause a small business owner to reach 50,000 consumers.
How are small business owners being affected by the CCPA?
Small business owners are already struggling to stay afloat during the pandemic. They are facing significant losses of revenue, inability to maintain an adequately staffed business because some employees may be receiving more pay with unemployment or refusing to work, and they struggle to apply for and secure small business loans and payroll protection loans.
Not only is this costly but also hasty; small business owners will have to determine if they meet inclusion criteria and if they do, comply with the requirements by July 1st, 2020. Depending on when you’re reading this article, that gives small business owners a month or less to comply. According to the ESET study found here, 44% of small business owners have never heard of the CCPA and another 44% didn’t know if it applied to them. A significant number of small business owners may be facing fines and compliance costs within this next month for a law they might not know about. Also, the Berkeley Economic Advising and Research team, in a study prepared for the Attorney General, predicts that small businesses are going to face higher compliance costs than the larger corporations and will struggle to meet those costs. The CCPA may have the incidental effect of closing more small businesses because they may not be able to afford to pay potential fines, compliance costs or a lawyer to assist them with compliance.
However, there is some breathing room. If the Attorney General does issue a violation, the business has 30 days to comply with the CCPA. There have been some requests submitted to the Attorney General to waive enforcement of the CCPA until January 1, 2021, but at the time of this writing, the timeline has not changed, and enforcement will begin on July 1st, 2020.
How can a small business owner follow the CCPA?
There a few steps a small business owner can take to follow the CCPA. The first step is to recognize if their business falls under the requirements set by the CCPA. Reviewing the guidelines above is a good starting point. Second, if a business determines they have to comply, they can start to get an understanding of the CCPA by reading the requirements above, but they should read the CCPA in full to understand all the requirements. The CCPA can be found here. A small business owner should also be aware that the CCPA is a fluid document and the regulations are being modified continuously. Currently, there have been two modifications to the CCPA and those can be found on the Department of Justice page here.
The CCPA has many requirements that must be met for a business to comply. If you are a small business owner and believe you cannot adequately fulfill the requirements alone, you can contact any number of law firms to receive assistance (recommendations are listed below). You can also use Legalucy to narrow down the specific areas of help that you need.
How can a small business owner take steps to be ready to comply with the CCPA?
Maybe your small business does not meet the requirements yet, but because of the increase in online traffic, you might hit the requirements this year. Maybe you want to follow the CCPA guidelines and be prepared for the future. Either way, whether your business is subject to the CCPA or not, any California business owner should monitor the ongoing privacy regulations to make sure their business complies with the CCPA and any new regulations. Here are some steps to take that can help business owners prepare for future compliance:
1. Keep track of all the data that is being collected by the business, including written notes, or anything that can identify the consumer;
2. Understand the requirements that the CCPA places on the business to comply with requests from the consumer;
3. Hire or train a current employee to be able to respond to requests by consumers and show the consumer how to exercise their rights;
4. Set a system in place that enables a business to identify whether the personal information being collected belongs to a California consumer or not; and
5. Implement a system that categorizes the types of personal information the business is collecting.
This list is not exhaustive of all the steps a business should take, and a business owner should read the CCPA or seek professional assistance when preparing to comply with the CCPA.
Where can I get help to comply with CCPA?
If complying with the CCPA seems like a daunting task, some resources can help you.
I have mentioned a few here:
1. Seek the opinion of the Attorney General for guidance on how to comply with the regulations.
2. Use Legalucy to narrow down the type of assistance your business needs to comply with the CCPA.
3. Contact any of these firms to help with CCPA compliance or any related assistance that may be needed.
c. Cooley LLP, and
The Take-Away Points
It is evident that small business owners are facing many challenges as a result of the COVID-19 pandemic and it seems time after time, another complexity comes at their front door. Hopefully, this article has given some guidance for determining if your small business has to comply with the CCPA as well as useful information on different responses to take. Best of luck; the light at the end of the tunnel is getting closer and better days lie ahead.
Are you interested in launching or sustaining a pandemic proof small business? Spot issues, take action, stay safe, and thrive in a post Covid-19 world with Legalucy. Learn more at thelucyreport.com
Your interaction with Legalucy and mypandemicproofbusiness.com does not create an attorney client relationship. We provide information for your reference only. Such information should not and cannot be construed as legal advice. For more information, please contact firstname.lastname@example.org.