The new Californian law that affects the entire internet

The state of California has passed a new data privacy law.

You might think that as the manager of a UK/European business you are not affected. Unfortunately, reading the small print shows that there’s a chance your business will feel the implications if it’s over a certain size – and looking to the future, it’s worth bearing in mind that laws often ripple outwards to cover other states or even countries.

The new California Consumer Privacy Act (CCPA) AB 375 privacy law took effect on January 1, 2020, and applies to you if your company does business in the US State of California (even if it is located in another state or country) and satisfies one or more of its thresholds. This means that although it is a Californian law, it can affect all website, mobile app, and SaaS owners who collect information about Californian consumers, regardless of what state or country they are located in.

The most important sentence is that bit that mentions ‘collect information about Californian consumers’. You wouldn’t need to be actively asking for names and addresses because the law includes the data delivered via a website cookie – and so it has greater impact on the internet first thought. It could easily include British news websites or other information resources, or sites with large numbers of US visitors.

Although the provisions put in place for GDPR might cover some of the same ground, be aware they are not interchangeable. CCPA has a different set of provisions in regard to record keeping, definitions and requirements. It centres around the right to know about use/sale of personal information, the right to have any personal info deleted, the right to opt out of the sale of info to other organisations and the right not to be discriminated against for doing so. Any business breaking these rules could have to pay $2,500 per person affected, up to $7,500 if it was deliberate.

CCPA applies to your website if your company:

(a) has annual gross revenues more than twenty-five million dollars ($25,000,000).

(b) alone or in combination annually buys, receives for its commercial purposes, sells, or shares for commercial purposes alone or in combination personal information of 50,000 or more consumers, households, or devices. This threshold can be reached more easily than you think because of the broad definition of ‘personal information’ by the law including visits to your website. As an example; if your website gets 137 or more unique visitors a day from Californian consumers, during the course of a year (365 days) you would meet threshold (b).

(c) derives 50% or more of its annual revenue from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means Californian consumers’ personal information by the business to another business or a third party for monetary or other valuable consideration.

California’s definition of selling a consumer’s personal information is broad. “Sell,” “selling,” “sale,” or “sold,” in section 1798.140 of California AB No. 375 is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. If section (c) applies to your business, you have further obligations.

At first glance, it seems surprising that California has done this. After all, what harm is there in tracking users with cookies or collecting names for the purpose of sending occasional marketing material? However, the reasons are no doubt largely to do with some of California’s biggest internet businesses. The likes of Facebook, Twitter and Google are not just pinging out a few email offers from time to time. These behemoths have access to almost unimaginable amounts of personal data. For years, this power went unchecked, but over the past months there has been a growing backlash. In July 2019, Facebook was fined $5bn by the Federal Trade Commission for violating user privacy during the Cambridge Analytica scandal. Even a penalty of this magnitude was considered too low by some members.

The new law should go some way to help clip the wings of this power. As an example, Facebook has around 25m Californian users, so they could face a maximum penalty of $62.5bn for an unintentional violation and $187bn if they did it on purpose. Other states and countries will no doubt be looking at this new law with interest. For now, it seems like best practice to ensure your website is keeping users’ data safe.

If you need helping ensuring that your website is compliant and up-to-date with this and other privacy legislation, just give us a call.