Small Businesses Outside of California Can’t Afford to Ignore the California Consumer Privacy Act (CCPA)

by | Jun 27, 2022 | Cybersecurity

Please note that in no way is Help Desk Cavalry providing legal information or counseling in this article. The content below is offered for your information only and any concerns or questions about complying with current laws should be directed to a legal professional.

There are a few reasons that every small business needs to be aware of the California Consumer Privacy Act (CCPA). First, its reach goes beyond companies inside the boundaries of California state. And second, as privacy and cybersecurity become more ‘hot button’ topics for lawmakers, the more prevalent laws like CCPA are predicted to become. Which means that becoming familiar with it now could save your company a lot of money and market loss in the future.

What is the CCPA?

The CCPA is a data privacy law that has been in effect since January 1st, 2020, and its purpose is to enhance privacy rights and consumer protection for California residents.

The law gives all people who reside in California the right to know about the personal information businesses collect about them, the right to delete the collected personal information, the right to opt-out of the sale of the collected personal information, and the right to non-discrimination for exercising their CCPA rights.

Personal information is defined as any information that identifies, relates to, or could reasonably be linked with California residents or their households. Examples include email addresses, names, geolocation data, records of products purchased, and social security numbers.

Information that’s publicly available in federal, state, or local government records is not considered to be personal information, and the CCPA also doesn’t apply to personal information that’s subject to other federal regulations, such as HIPAA, HITECH, DPPA, GLBA, and FCRA.

The CCPA is enforced by California’s Office of the Attorney General, and non-compliance can be punished with fines up to $2,500 per unintentional violation and up to $7,500 per intentional violation.

What Businesses Are Subject to the CCPA?

Contrary to what many business owners still believe, the CCPA doesn’t apply only to businesses that are physically located in California.

It applies to all businesses that collect or sell personal information of California residents (even when the residents are temporarily outside of the state) and meet at least one of the following three criteria:

  • The annual gross annual revenue of the business exceeds $25 million (nonprofits are exempt).
  • The business buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices.
  • The business derives 50 percent or more of its annual revenue from selling California residents’ personal information.

For example, a Washington-based provider of online services has to comply with the CCPA if it collects the personal information of only 137 different California residents every day.

The CCPA also applies to small businesses outside of California that are considered to be service providers of larger businesses that meet the above-described criteria.

How Should SMBs Address the CCPA?

The CCPA is a serious indication of a future in which consumers are aware of their data privacy rights and expect the companies they do business with to respect them. Those who fail to meet the growing data privacy expectations may find it difficult to remain competitive and profitable.

All small businesses, regardless of where they’re located, should determine whether they are subject to the CCPA (this is where consulting legal counsel comes into play). Those that are subject to it need to take the steps necessary to comply with the privacy rights the law gives to California residents.

Small businesses that are not subject to the CCPA may be out of the woods, but they’re certainly not in the clear. Several other states are already taking the CCPA road, including Alaska, Arizona, Connecticut, Florida, Maryland, Massachusetts, Minnesota, Mississippi, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Utah, South Carolina, Vermont, and—our home state—Washington.

The CCPA itself will be amended and expanded when the California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, takes effect on January 1st, 2023, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and more.

To stay on top of evolving privacy legislation and to never become an unwitting victim of regulatory fines, all small businesses should monitor proposed CCPA-like bills in all states in which they do business and at the federal level.

How We Can Help

While we’re not able to provide legal counsel on business privacy and data laws, we can certainly supply you with the tools you need to stay compliant. If you’re curious how we do this, just get in touch. We help companies like yours stay ahead of the curve.