Ah, the sky is falling! So say the prognosticators regarding the California Consumer Privacy Act (CCPA), often referred to as California’s GDPR-lite privacy law. The new law is more restrictive than we’ve seen in the good old USA. Still, the act isn’t nearly as burdensome as the GDPR. Perhaps even more importantly, small businesses often don’t need to comply with the new legislation.
Let’s step back a bit to make sure we are all on the same page here. Nearly every commentator refers to the General Data Protection Regulation as the “GDPR.” The regulation went into effect on May 25, 2018. The EU issued the regulation to give people more control of their data. EU representatives love to preach endlessly about the value they put on privacy – often while walking down a street in London with you where there is one surveillance camera for every 11 people. All 28 Member States must comply with the regulation.
While the GDPR does empower individuals with control over their data in some respects, the EU also goes overboard in requiring businesses to take bizarre steps that do almost nothing to protect the privacy rights of individuals but do hurt small businesses. For example, the GDPR requires companies to differentiate between business and personal data when obtaining personal data of another person in a business transaction. How idiotic is this requirement? Well, it helps to understand the application in the real world example. EU representatives have said that if you communicate with a person in another company while at work, you must comply with the GDPR if that person uses a personalized business address [email@example.com] but not if the email address is for a position [firstname.lastname@example.org].
California is an interesting state from a legal perspective. Anyone can put a proposed law on the state election ballot. One only needs to obtain a sufficient number of signatures from Californians supporting the initiative. Viva la people! Of course, most initiatives are backed not by “the people,” but by billionaires who have a particular interest or hobby.
In this case, the wealthy person in question is Alastair MacTaggart. Mr. MacTaggart made a fortune in real estate in San Francisco. He is a fan of the European GDPR, so he pumped a few million dollars into a consumer privacy initiative and obtained a sufficient number of signatures to qualify it for the upcoming November ballot. There was just one problem. He and his counsel did a poor job drafting the initiative. Some sections violated federal law. Others conflicted with other California laws.
To counter this risk, the California Legislature did something somewhat surprising. It took the initiative out of the hands of voters. In the summer of 2018, the Legislature converted it into a law. We now know this law as the California Consumer Privacy Act (CCPA).
And the politicians did this all in…seven days.
And people say the government isn’t efficient.
So, with privacy Armageddon avoided, the even more fantastic development with the CCPA is the law was drafted to take into account the resources – or lack thereof – of small businesses.
Critics justifiably rip the EU for failing to take into account the size of businesses when issuing GDPR compliance requirements. Your aunt who you set up a blog so she can show her fruit canning techniques to others has nearly the same obligations under the GDPR as Facebook. The EU’s failure to recognize that small business owners often can’t afford the cost of complying is why many commentators view the EU as an entrepreneurial desert of sorts. Seriously – name one major Internet company in the EU? Depending on how you define “major,’ few if any exist and it isn’t because Google and Facebook are hogging the market.
To its credit, the California Legislature proceeded with a more practical approach after recognizing that crushing small businesses probably wasn’t the best idea for keeping the state economy humming along. Given this, the California GDPR states that companies must comply with the various privacy requirements under the law, but only if a business:
(1) has $25 million-plus in annual revenue, or
(2) derives 50 percent or more of its revenues from selling consumer data, or
(3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
So, there you have it. If your business doesn’t hit any of these thresholds, then you do not need to worry about the California GDPR.
The Potential Traps
Is there a potential trap in this loophole? Yes. A couple. Section two is a natural trap for companies selling leads. Even if you are a small company selling, oh, 50 leads a month, if that revenues from those leads constitute more than 50 percent of your receipts, you must comply with the new law.
A trap also exists in section 3 of the loophole. While the “50,000 or more” figure appears hefty at first glance, keep in mind that just collecting IP addresses from people who visit your site constitutes collecting personal information under the new law. Since the servers for most sites do so automatically, this provision suggests that if you are receiving more than 4,166 unique visitors a month [50,000/12 months] – you must comply.
There is some hope the legislature will close these traps by raising the threshold numbers used in each, but the outcome is currently unclear. The government is moving to amend the law as I speak, so keep an eye out for developments.
Frankly, the politicians in the EU should be embarrassed. In seven days, California created and enacted a GDPR-lite that is superior to what the EU flogged into shape in four years.
Richard A. Chapo, Esq.
Other News of Note: