If you are a for-profit business that does business in California and meet any of the following three criteria: (1) annual gross revenue in excess of $25 million; (2) annual purchases, receipt or sales of the personal information of 50,000 or more California residents, households, or devices; or (3) companies that derive 50 percent or more of annual revenue from selling consumers’ personal Information – then you need to update your privacy policies. Failure to comply with applicable state privacy laws can lead to significant fines and penalties from the California Attorney General, the district attorney, or class action lawsuits.
The California Consumer Privacy Act (CCPA) requires business privacy policies to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination. More changes to the privacy policies will need to be made for 2023 under the California Privacy Rights Act (CPRA).
Who Must Comply With California Privacy Laws?
California privacy laws applies to any company that collects personal information from California residents regardless of where that company is located. That means every business, no matter its size, must comply with California privacy laws because they are collecting personal information from consumers. The term “consumers” is interpreted so broadly as to include any “natural person who is a California resident.”
“Personally Identifiable Information” or “Personal Information” includes, but is not limited to:
- First and last names
- Home or physical street addresses
- An email address
- A telephone number
- Birthdates
- Financial Information
- A Social Security number
- Or any other information that permits a specific individual to be contacted physically or online
To begin with, all businesses that operate commercial websites and collect personally identifiable information must have a Privacy Policy. At the very least, your business will likely collect emails, names, or IP addresses from visitors to provide your services. If one of those visitors is a California resident, then a California-compliant Privacy Policy is required. Even if the visitors are not California residents, a Privacy Policy may still be required in accordance with applicable state law.
Other businesses, depending on its annual gross revenue, its percentage of annual revenue derived from sharing or selling personal information, and the amount of California consumers/household personal information the business buys, sells or shares, may be subject to the CCPA and CPRA, which are more stringent privacy laws in California.
To give you some background information, in 2018, the CCPA expanded privacy rights to include the ability for consumers to learn what personal information a business has collected and how it’s used, as well as to prohibit companies from selling their personal data.
The CPRA is the next privacy directive that increases the protection of consumer privacy. The CPRA supports the CCPA, and covered businesses will need to make more changes to data processing and sharing based on the new requirements. Broadly speaking, the law updates and clarifies the CCPA and introduces other new regulations.
Essentially, the CCPA/CPRA give consumers more control over the personal information that businesses collect about them. The CPRA will come into effect on January 1, 2023, with its enforcement set to begin on July 1, 2023. Even so, the CCPA has already went into effect back in January 2020.
What Happens When a Business Faces a Data Breach or Non-Compliance?
A data breach, depending on its impact, size and nature, or noncompliance to any privacy law applicable to your business may lead to hefty fines and penalties. First, individuals, the Attorney General, or a district attorney may bring an action against a business whose website is not privacy compliant under California’s Unfair Competition Law (UCL). Lawsuits can be initiated by consumers that suffer damages by a business’s unfair actions. The UCL provides that a lawsuit may be brought “by a person who has suffered injury in fact and has lost money or property as a result of the unfair competition.” If a court finds that the business engaged in unfair competition, the court may impose a civil penalty of up to $2,500 for each violation. Each violation could add up to be a substantial amount of money. For instance, every visit to a website or each download while failing to comply can be a violation.
Second, under the CCPA/CPRA, the California Attorney General can seek civil penalties of $2,500 per violation, or $7,500 for each intentional violation. The CCPA/CPRA also allows for a private right of action. Significantly, if successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as other relief. Still, before a consumer would be able to bring a lawsuit following a covered business’s data breach, they must provide the covered business 30 days’ written notice identifying the specific provisions of the CCPA/CPRA that were violated. If the covered business actually cures the violation within the 30-day period and provides an express written statement that the violation has been cured and that no further violations will occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.
What Now?
To mitigate any risks of fines and penalties, your business should reasonably protect any and all personal information it collects. Determine what personal information your business collects, why this information is being collected, where this information is being shared, and how this information is being stored and secured. Furthermore, evaluate whether your business is subject to the CCPA/CPRA.
Next, as a good starting point, businesses collecting personal information of California residents on their websites must have a California-compliant Privacy Policy posted on the website, app, or contact form.
This article is not intended to and does not constitute legal advice or a solicitation for the formation of an attorney-client relationship. For questions about privacy law or other matters, reach out to our experienced privacy team at 408.286.5800 or e-mail iris.chiu@berliner.com.