I’m Not In California, So Why Does Their Consumer Privacy Act Apply To Me?
Part 2 of 3 in the Privacy Act Series. Go back to Part 1 or Skip to Part 3?
If you do business with anyone who lives or works in California, the CPRA could very well apply to you. If you have ever used a consumer list from a list provider, conducted any type of transaction with a California resident, or even worked with a third-party vendor who may potentially work with California residents, you are subject to the California Consumer Privacy Act. Keep an eye out for “alone or in combination with other businesses…” this essentially applies to everyone when you look at the big picture.
In the most general sense, the California Consumer Privacy Act applies to a business or proprietorship that:
- Does business in the State of California by means of physical storefront or online transactions.
- Buys, receives, or sells personal information, or acts on behalf of any business or vendor for which such information is collected. This includes list data.
- Alone or jointly with other businesses, partners, or vendors, determines the purposes or means of processing collected data.
- AND meets one or more of the following criteria:
- Alone or in combination with other businesses, buys, receives for the business’s commercial purposes, sells, or shares consumer information, of 50,000 or more consumers, households, or devices.
- Reports an annual gross revenue in excess of $25 million.
- Derives 50 percent or more of its annual revenues from selling or sharing California Residents’ personal information.
- Nonprofit organizations and government agencies are exempt from the CPRA rules, as they have their own set of guidelines to adhere to, but as a private for-profit business, even if you are unsure of whether this Consumer Privacy Act applies to you, following the guidelines will give you a head-start when other states adopt such rules.
I Am A Small Online Business, And I Don’t Collect Or Sell My Customers’ Information. Do I Need To Worry About CPRA Compliance?
In short, yes. As I mentioned previously: If you’ve ever purchased a consumer mailing or email list from a list vendor to market your business – if you have ever conducted any type of transaction with a California resident – or if you have ever purchased from, or sold to a vendor who may also work with California residents (or even if their vendors transact with California residents!), you are subject to the California Consumer Privacy Act / California Privacy Rights Act.
I know – it seems like quite the crazy web of responsibility, right? You are definitely better safe than sorry here.
Under the CPRA, even if your business does not actually collect personal information from consumers, the law still applies. As long as personal information is available to be collected on behalf of your business, for example: through a third party such as a list provider, customer database provider, or vendor, your business could still fall under regulations of the CPRA.
Does CPRA Apply To B2B Businesses?
Some businesses may be led to believe they do not apply because they do not engage in transactions directly with individual consumers. Again, there is that web of responsibility of one tied to the next… and so on. You may only work with other businesses, but those businesses very likely have contact lists with – you guessed it – California residents on them.
What If I Am Audited For Consumer Privacy And Found To Be Non-Compliant With The CPRA?
As the old adage goes: Prevention is key. But, what if someone (totally not you) didn’t know that the rules have been evolving? Well, there are consequences to non-compliance, but the good news is you’ll have a 30-day grace period to take action to correct any issues before you face liability on record.
What if you don’t take action? Well, a business violating the CPRA is subject to injunctions and penalties up to $2,500 for each violation, and up to $7,500 for each intentional violation. Plus, the CPRA provides California residents a private right of action if their personal information is breached because their business did not meet its duty to ensure reasonable safeguards to protect that information. Private action can include statutory damages up to $750 per consumer per incident or the cost of actual damages, whichever is greater.
An August 2019 IAPP survey revealed that only 2% of organizations were able to report that they are currently in full compliance with the law. In another survey, over 44% of polled business owners and company executives had never even heard of CPRA, and only 12% were aware of the law applied to their business. As a business owner or executive, I strongly urge you to determine if you have CPRA obligations. Compliance will ensure you can continue to operate smoothly without any CPRA audit hiccups to deal with.
What Can I Do To Stay Privacy Act Compliant Under CPRA? Continue to Part 3 of the Privacy Act Series.