In 1973 there was a hit song called “It Never Rains in Southern California” and, having visited San Diego, I can confirm that this is mostly true. In the legal world, however, the new California Consumer Privacy Act of 2018 may rain on some businesses, even those outside of sunny Southern California.
The CCPA has been called “GDPR Lite” after the EU’s General Data Protection Regulation. Many of the GDPR concepts are echoed in the CCPA, including greater consumer control over their personal information.
In the United States, although the Federal government has had hearings, there is currently no federal data privacy law as sweeping as the EU’s GDPR. Into this vacuum, states are working on their own solutions, which would create a patchwork of laws for businesses which cross state lines. Besides the CCPA, the following states have proposed similar data privacy bills: Hawaii, Maryland, Massachusetts, New Mexico, Rhode Island, and New Jersey. Washington State has already passed a data privacy law.
How CCPA Affects Dealers
While the data privacy trend is clear, the immediate impact of the CCPA to businesses outside California remains to be seen. The CCPA, by its terms, applies to companies which do business in California. To meet the doing business threshold, one or more of the following elements needs to be met:
- Having more than $25 million in gross annual revenue.
- Buying, receiving, selling, or sharing personal information of 50,000 or more consumers or devices (emphasis added).
- Deriving 50% or more of annual revenue from selling consumers’ personal information.
Keep in mind that the CCPA is supposed to be fleshed out by regulations. But as currently worded, if your business makes one sale to a California resident and the business has over $25 million in gross revenue, it is arguably subject to the CCPA.
Companies covered by the CCPA are required to make sure their service providers also comply, subject to certain exceptions. Therefore, even if you do not have California customers, if you are doing business with a company covered by the CCPA, then you may need to be prepared to comply with the CCPA (e.g. you received some sales leads, containing personal information, from a company subject to the CCPA).
“There is currently no federal data privacy law as sweeping as the EU’s GDPR. Into this vacuum, states are working on their own solutions.”
Your Dealers’ Obligations
While a full review of the CCPA is beyond the scope of this article, there are some highlights worth considering. First, the definition of personal information (or “PI”) subject to protection is very broad. PI includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This definition includes such items as IP addresses, email addresses, physical addresses, internet browser and search histories, and biometric information. Also notable are the opt-out requirements. If your business is covered by the CCPA, you need a link on your website home page labeled “Do Not Sell My Personal Information” which redirects consumers to a webpage permitting them to opt out of the sale of their personal information.
Businesses have 45 days to comply with a request to delete a consumer’s PI. CCPA also requires that covered business update their website privacy policies to include all rights granted by the CCPA, and this must be updated annually.
The CCPA allows the California attorney general to pursue violations of the act and provides for penalties of up to $2,500 per violation and up to $7,500 for intentional violations. The CCPA also authorizes a private right of action and up to $750 per consumer per incident or actual damages, whichever is greater. Although this measure of damages is short of the GDPR’s penalty of up to 4% of global revenue, this means as a practical matter that class actions are sure to follow.
As individual states — and perhaps the federal government — expand definitions and protections granted to personal information and adapt to changing norms of data privacy, businesses are charged with meeting these new challenges. We can expect continuing headlines of companies who have failed to follow the changing standards and who do not monitor the flow of data through their business systems. As the old idiom says, no one plans to fail, but many fail to plan. Will your dealers be ready?
DISCLAIMER: Content provided in this article is intended for informational purposes only and should not be construed as legal advice and should not be relied upon or acted upon without retaining counsel to provide specific legal advice based upon your particular situation, jurisdiction and circumstances. No duties are assumed, intended or created by this communication. No attorney- client relationship is being created by your review or use of this material.
Robert J. Wilson, Esquire (Bob) is a Philadelphia lawyer and is General Counsel for ARMD Resource Group. Bob is the principal of Wilson Law Firm and has over 30 years of experience both as a counselor and as a litigator in State and Federal Courts. Risk management, problem solving and dispute resolution are his core competencies. Bob’s practice is largely in the consumer finance space and he regularly consults with Lenders and contributes articles on various compliance related issues.