CCPA and Its Effect on Small Businesses

The California Consumer Privacy Act (CCPA) is a comprehensive privacy law for data protection in the State of California that will take effect on January 1, 2020. It aims to protect and control personal information of the residents of California and applies to a “business” as defined in Section 1798.140 of the CCPA. Under the CCPA, a “business” means all for-profit legal entities doing business in California, including individuals who operate as sole proprietors, regardless of where the business is located.

Small businesses and startups of every size are not exempt if they meet at least one of the criteria of the CCPA, namely:

  1. The business has annual gross revenue of $25 million USD.
  2. The business is involved in buying, selling, or sharing the personal information of more than 50,000 consumers annually.
  3. At least 50% of the annual revenue comes from selling consumer data of California residents.

Unfortunately, these criteria are construed very broadly and satisfying one of these thresholds may not be as difficult as it seems. For instance, “selling” as mentioned in #2 above would include, among others, disclosing, making available, communicating a consumer’s personal information to another business or a third party for consideration. As of the time of this article is written, there is no definition under the CCPA of what consideration is – and without any further guidance  by the attorney general, consideration could exist simply when there is an exchange of personal information with any potential benefit, monetary or nonmonetary, such as service. That means, businesses that exchanges personal information with another business for consideration can be deemed to have conducted a “sale” under the CCPA.

Historically, personal information has been defined as information that can identify an individual. CCPA expands the definition of “personal information” to include any information that directly or indirectly identifies not just a consumer or an individual, but also a household. Thus, personal information would include not only someone’s name (and now IP addresses as well under the code), but also commercial information, such as records of products or services purchased, purchasing histories or tendencies, browsing history, and so forth. These broad definitions provided in the CCPA will cast a wide net, subjecting all kinds and sizes of businesses to the law.

To reach 50,000 personal information annually, you need to collect an average of 137 personal information of California residents on a daily basis. Thus, if you utilize data collection services or any analytics tool, such as Google Analytics, and it collects IP addresses from your website visitors – think about how much information it collects daily on IP addresses alone. Add that to having a contact form or a chatbot where it is capable to collect personal information, such as names and email addresses.

The State of California gives plenty of reasons for small businesses and startups to think about compliance. The CCPA will allow both the consumer and the state to take action for noncompliance. Unintentional violation of any provision of the CCPA would enable the California Attorney General to enforce a civil penalty up to $2500 per each violation and $2700 for each intentional violation if a business fails to correct the alleged violation within 30 days from being notified of noncompliance. In a case of data breach, private parties can recover damages a claim ranging from $100 to $750 per incident or actual damages, whichever is greater.

If the penalties are not enough to motivate you, think about how having a CCPA-compliant business can only do good things for your business – from enhancing your reputation to building consumer trust.

One common issue we hear from small businesses and startups is how costly compliance can be for them. Fees for legal consultants and attorneys are often exorbitant and data management tools can be very expensive.  However, at the same time, noncompliance is really not an option. Violation may result in steep fine, lawsuits or potentially even going out of business.