Everyone is aware of the various disclosures and “accept” boxes that many websites require visitors to click through. But for most businesses, there has been the general sense that these measures are “good”, but not required. That is because the United States has lagged behind most other countries when it comes to enacting strict consumer privacy and data protection laws for mere website visitors. All of that is about to change, since California is the first to pass an update to its laws governing consumer privacy and data management, to bring them in line with what some other countries around the globe have been requiring for years. Note that Nevada passed its new online privacy laws after California did, but Nevada’s laws took effect on October 1, 2019, three months before California’s new laws will take effect on January 1, 2020. Also, two Congresswomen from Silicon Valley have introduced a bill into Congress that aims to strengthen online privacy rules by creating a federal Online Privacy Act.
As a result California’s new law, companies that have websites that California customers/consumers can view (which is pretty much every website) or that have assets in California, no matter where the company is located, will be required to comply with California’s law, if other requirements are also met, or be subject to stiff fines, penalties and civil actions.
As noted above, California’s recent amendment to its California Consumer Privacy Act (“CCPA”) goes into effect January 1, 2020. As amended, it requires most companies to make new disclosures online about the types of personal information they are collecting and how the information is going to be used. It also gives California residents new rights over the management and use of their personal information that a website collects.
The CCPA has a number of new requirements, running the gamut from requiring websites to include simple disclosures, such as disclosing the consumer’s rights under the CCPA and having a disclaimer along the footer of the website, to having a CCPA privacy policy that is published on the website, to providing detailed information regarding the categories of personal information that the company might gather online and offline, as well as setting forth standards and requirements for how these items must appear to the user. There are more onerous requirements for companies that sell personal data that they collect to others. And, every which way, the law favors consumers.
For example, its definition of personal information includes more than just social security number or address. It also includes a name, an account name, an email address, an IP address, interactions with online ads, purchasing history, geolocation information, and on and on and on. This means that if your website allows a customer to inquire online about a recent order, via email or chat or even an online form, then the CCPA is implicated. Furthermore, many websites are designed so that users who arrive on the website from ads elsewhere or Google searches are specifically identified as coming from those locations. Even that information is sufficient to trigger the CCPA. Thus, even with no active data collection features on a website, the company could still be found liable. Many companies may not even be aware that their websites or marketing programs are collecting IP addresses regularly.
Moreover, the CCPA grants consumers the right to request a report from the company detailing all of the information that the company has gathered or created on the consumer and what they did with it over the past 12 months, which must be provided within 45 days of the request — most companies are not prepared to provide this information. There are also various standards for data protection that companies must comply with as well.
If your company falls under the CCPA, you must get into compliance immediately because the failure to do so renders your company vulnerable to costly lawsuits and enforcement actions. These include penalties of $100-750 per consumer per incident, which a consumer can bring in a class action, plus, if there is a notice of violation by the State that isn’t resolved within 30 days, companies face a $7,500 fine per record. The CCPA is anticipated to affect over 500,000 companies in the United States and nearly 150,000 in California. Encore Law Group can advise you on whether your business should comply with the CCPA and, if it does, how to go about ensuring that you are in compliance.
Please contact the author at muhammed@encorelaw.com.