Much to do has been made in recent years about the right to privacy and consumer's acquiring the right for a modicum of control on their data and how it is used. Many small business owners have acquired the impression that the spurts of privacy laws enacted within California apply solely to Fortune 500 companies. To be fair, this is understandable, when the news is filled with stories about the latest way big businesses use (and possibly abuse) consumer data.
A business owner should be aware that their website generally must have a privacy policy - a public statement explaining how consumer data is acquired, handled, and disposed of, and should have a terms & conditions of use, a formal contract by and between individuals browsing the business' website and the business. This post is focusing on the privacy policy and the California Consumer Privacy Act (the "CCPA").
At present the CCPA applies to three categories of businesses: companies that serve California residents and have at least $25 million in annual revenue, companies of any size that have personal data on at least 50,000 people, or that collect more than half of their revenues from the sale of personal data. It is anticipated that the CCPA will be stretched to apply to all businesses in the coming years.
Per the CCPA a California resident, may ask businesses to disclose what personal information they have about the resident and what they do with that information, to delete the resident's personal information and/or not to sell the resident's personal information. Resident's also have the right to be notified, before or at the point businesses collect their personal information, of the types of personal information they are collecting and what they may do with that information. Generally, businesses cannot discriminate against consumers for exercising your rights under the CCPA. Businesses cannot make consumers waive their rights under the CCPA, and any contract provision that says consumers waive these rights is unenforceable.
Accordingly, it is best to have a privacy policy that explains what, if any, information is collected and why. There are exemptions to the consumer's right to 'opt out'. For example, if there is a valid business purpose for keeping personal information on file, a business can keep that information. If there is a statutory or regulatory obligation to maintain personal information - e.g., firearm dealers are required by law to keep records on all sales and purchasers for a number of years - the consumer cannot opt out.
When residents contact a business regarding the CCPA, a business generally has 45 days to review any request and respond. However, beware, in the modern day and age there is a risk someone will impersonate an individual and make fraudulent requests to try and gather information on that individual. It is always a good idea to require a resident provide proof of their identity, preferably use the email address(es) on file with the business, and demonstrate that they are in fact the individual they claim to be.
Also, be aware that only California residents have any rights under the CCPA. An individual contacting a business from Ohio has to point to Ohio law and explain how and why a California business is obliged to follow such law when processing any request for information - it could be that a drop shipping company that sells products to Ohio residents would be obliged to abide by Ohio law, but a California tire dealer who sells only to local Californians would not be so obliged.
What counts as 'personal information'? Generally, it is information that can identify an individual, is private, and not for public disclosure. Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records.
Please note that most businesses must have a privacy policy - not because of the CCPA, but because of the 2003 California Online Public Privacy Act (the "CalOPPA"). This is discussed in another post, but generally any entity that collects personal information via a website must have a policy and must explain to consumers what is going on with their information. This includes businesses that are not within the State of California.
If you have any questions relating to the consumer privacy laws of California, please don't hesitate to contact my office.
Comments