Here’s why companies not located in California should still care about the state’s stricter consumer
California’s consumer privacy law is changing, and if you own a business — in ANY state — you should care. Let me get you up to speed.
Last November, California voters passed the California Privacy Rights and Enforcement Act (CPRA), which amends portions of the California Consumer Privacy Act (CCPA), making the law even more comprehensive and offering consumers more protections. It goes into effect Jan. 1, 2023.
Consumer privacy laws generally focus on the protection of consumers’ personal information through limits on the use of that information and security requirements for how that information must be stored. Each state has a different set of privacy laws. Yes, there is no federal consumer privacy law — though it is talked about now and then, especially when California or the European Union have enacted more stringent laws.
Businesses have to follow privacy laws that exist wherever they do business and have customers. And that is why, as a business owner — anywhere — you should want to know about California’s privacy laws. California is one of only a few states in the country with strict privacy laws, so it’s smart business to keep up with what’s going on with consumer privacy in the Golden State, along with New York and Massachusetts.
Generally speaking if you buy, receive, sell or share a lot of consumer data for California residents you are going to be subject to California’s privacy laws, both old and new. CCPA and CPRA also apply if your company has over $25 million in gross global revenue, even if you don’t collect a ton of data on California residents. Marketing companies and cloud software providers are prime examples. Or, if you are a vendor to a company that must comply with California’s laws, then you must comply, as well. Fines for noncompliance, which range from $2,500 per unintentional violation to $7,500 per intentional violation, add up quickly.
CPRA, the amended law, gets more specific about what is considered private or sensitive information and offers consumers more recourse. Perhaps most importantly, CPRA creates a new regulatory agency, the California Privacy Protection Agency, tasked solely with enforcing and issuing guidance on CPRA. With nothing to focus on but CPRA, it is reasonable to expect an increase in enforcement actions when this new agency gets up and running.
In the category of what counts as personal information, the existing law says that’s anything that could reasonably be linked to a particular consumer or household. But the new law expands on that to include specific items, like Social Security numbers, driver license numbers biometric information, precise geolocation and data about racial and ethnic origin.
I found this chart comparing CCPA vs. CPRA to be very helpful.
Bottom line: As your company grows, consider keeping an eye on California. It might make sense to follow CCPA and (later) CPRA now – or it might not. Consider whether it applies as your business expands. It can’t hurt to keep California’s consumer privacy laws on your radar and make sure your company’s legal personnel is staying up to speed, as well.