According to the United States Small Business Administration, or SBA, 3.9 million small businesses operated in California in 2018. These businesses employed approximately 7 million people, which constituted 49 percent of the private workforce in the state. As a result, when a law such as the California Consumer Privacy Act, or the CCPA, is enacted, it affects a lot of people both in terms of those it protects and those it governs. The CCPA took effect on January 1, 2020, and every business that not only exists in California, but also does business in California, needs to be aware of its reach and requirements.
If you’re wondering how the CCPA affects your small business, here are ten things to consider when it comes to your business and the CCPA:
1. “Small” Is a Malleable Term
Even if you qualify as a small business under the guidelines established by the SBA, that doesn’t mean that your business is exempt from the CCPA. That’s because the law applies to any business that meets or exceeds any of the following criteria:
- The business generates annual revenue of at least $25 million.
- The business has or obtains personal information relating to at least 50,000 California residents, households or devices.
- At least 50 percent of a business’ annual revenues are derived from selling applicable personal information.
This means that even if your business consists of two people and you generate annual revenues of $200,000, if at least $100,000 of that revenue comes from selling what the CCPA defines as “personally identifiable information,” your business would fall under the jurisdiction of the CCPA. As such, the CCPA affects your small business directly and you must comply with its standards.
2. Your Business Doesn’t Need to Exist in California
The CCPA affects small business entities that are not registered in California. The law was put in place to protect people and households that reside in California. In essence, the location of the business is irrelevant.
If your small business is located in another state or even in another country, but it meets any of the requirements listed above, it must comply with the tenets set out in the law. This is relatively common in today’s technology-driven world, where companies collect and sell personal data from people all over the world. If your business’ personal data includes information regarding at least 50,000 California residents, you need to pay attention to how you’re handling this data.
3. There Is Nothing “Small” About CCPA Penalties
The CCPA affects small business entities by way of penalties at levels that can be nothing short of crippling for those businesses that are truly small and/or just starting out. The law provides remedies for people who have been harmed, and those remedies include the levying of penalties against violators.
If a business is deemed to have violated the CCPA accidentally or negligently, it can face fines of up to $2,500 per violation. Purposeful violations can lead to penalties of up to $7,500 per violation. In the example above, if the small business does not properly protect the personal data it sells, it would only take 27 findings of purposeful violations to completely wipe out that company’s revenue for that year.
4. Compliance Is Worth the Investment
The reality of the reach of the CCPA is that every business that falls under its jurisdiction needs to take preventative steps to protect itself from potential liability. There are ways to achieve CCPA compliance, and some examples of these steps include:
- Updating your privacy policy every 12 months
- Providing an “opt-out” for consumers on your website who do not want their information sold
- Having a process in place to promptly delete an individual’s information upon request
- Making sure that minors’ information is handled in accordance with the statute
- Properly disclosing the information requested by a consumer
This does not represent an exhaustive list but taking preventative measures to make sure that your small business is compliant with the CCPA can save untold amounts of time and capital if something did go wrong.
5. Build CCPA Costs Into Your Business Plan
What small businesses need to know about the CCPA is that the legislation is not going away. This is not one-time precaution that’s being taken in response to a singular event, but rather a legislative action designed to curtail what many believe to be a systemic problem within the world of technology. States across the country are coming out with their own versions of CCPA, though California is currently the most restrictive state.
As mentioned above, the costs associated with violating the CCPA can add up very quickly for a small business. Generally speaking, it may be a more fiscally sound practice to build the costs of CCPA compliance into your startup or business plan so that it’s part of what you do and not something you wish you could avoid.
6. Employee Training Matters
Every question about how the CCPA relates to small businesses generally comes down to the people involved as much as the technology. It’s the people who manage the data that’s protected and it’s the people who need to make sure that the steps taken by a business when a consumer acts under the CCPA are appropriate. Not to mention, if legal claims are ever filed, it’ll be the people involved who will need to answer questions regarding what happened.
Therefore, it is the responsibility of any small business to make sure that their employees are fully up to date with regards to the nature of the CCPA, how it applies to their work and what they need to do to protect themselves and their company from potential problems. This training could ultimately make the difference between a correct decision and a regrettable mistake, and at the very least, it will serve as evidence that there was intent to comply with the CCPA.
7. Refine Your Processes
What small businesses need to know about the CCPA is that it’s a progression that often looks something like below:
- A business manages personal data.
- That business falls under the jurisdiction of the CCPA.
- The business takes every reasonable step to protect that data.
- The business follows the law with regards to disclosures, opt-outs, etc.
- Consumers file requests for disclosures and to disappear.
- The business responds to those requests promptly and properly.
- The business updates its Privacy Policy in a timely manner.
There’s no bar to refining these processes and automating and/or streamlining them as much as possible. As long as the statutory requirements are met and there is no data breach, there’s no reason to overdo things. Of course, you should refine these processes under the watchful eye of an experienced attorney.
8. Compliance Is Not a One-Time Thing
According to Internet World Stats, which compiles internet usage data, more than 4.5 billion people used the internet as of June 2019. That number rose from 2.4 billion people five years earlier. That represents an increase of 83 percent. Given that the world’s population is currently at 7.7 billion, that means that nearly 60 percent of the entire world is online.
What does that have to do with the CCPA and small businesses? It means that as more people continue to browse the web, more data is going to become available, and more personal information is going to be bought and sold. With regards to your small business, it means that you need to be ready to take regular steps to upgrade your security, update your responses and make sure you’re remaining compliant with relevant laws, the CCPA among them.
9. Vet Your Purchasers
There is no telling why a certain company may want to purchase your personal data. It may be for completely legitimate reasons which should not concern you, or it could be for reasons you’d rather not think about. What you should consider not doing, however, is simply “trusting your gut” and selling your information to whomever you think will do the right thing. Mistakes made in this regard could lead to legal problems down the road, so you must vet your purchasers properly with the help of a business attorney who can oversee this process and draft a contract with appropriate provisions in place.
10. Work With a CCPA Compliance Lawyer
Ultimately, what small businesses need to know about the CCPA is that it governs many aspects of their operation if they fall within its jurisdiction. There will be many situations in which difficult decisions need to be made, and the best way to do that is with a CCPA compliance lawyer who understands how to protect clients from avoidable legal exposure. Contact Kam Law Firm today to schedule a thorough review of your CCPA compliance strategy.
