Ah, the sky is falling! So say the prognosticators regarding the California Consumer Privacy Act (CCPA), often referred to as California’s GDPR-lite privacy law. While the new law is more restrictive than we’ve seen in the good old USA, it hardly qualifies as being remotely as burdensome as the abomination that is the GDPR in the EU. Perhaps even more importantly, the California GDPR has a loophole written into it that precludes the need for many small businesses to comply.
Let’s step back a bit to make sure we are all on the same page here. When the initials “GDPR” are used, they refer to the General Data Protection Regulation in the EU. The Regulation went into effect on May 25, 2018. The Regulation is binding on all 28 Member States and is allegedly designed to give people control over their data. EU representatives love to preach endlessly about the value they put on privacy – often while walking down a street in London with you where there is one surveillance camera for every 11 people.
While the GDPR does empower individuals with control over their data in some respects, the EU also goes overboard in requiring businesses to take bizarre steps that do almost nothing to protect the privacy rights of individuals, but do hurt small businesses. For example, the GDPR requires businesses to differentiate between business and personal data when obtaining personal data of another person in a business transaction. How idiotic is this requirement? Well, it helps to understand the application in the real world. EU representatives have said that if you communicate with a person in another company while at work, GDPR compliance is required if that person uses a personalized business address [email@example.com] but not if the email address is for a position [firstname.lastname@example.org].
California is an interesting state from a legal perspective because anyone can put a proposed law on the election ballot if that person can generate sufficient signatures from people in California evidencing an interest in passing the proposed law. Viva la people! Of course, most of the initiatives brought are backed not by “the people,” but by billionaires who have a particular interest or hobby.
In this case, the wealthy person in question is Alastair MacTaggart, who made a fortune in real estate in San Francisco. Mr. MacTaggart is a fan of the European GDPR, so he pumped a few million dollars into a consumer privacy initiative and obtained a sufficient number of signatures to qualify it for the upcoming November ballot. There was just one problem. If voters voted the initiative into law, the law would take effect immediately with companies having no time to develop compliance systems and hardware.
To counter this risk, the California Legislature did something rather surprising. It took the initiative out of the hands of voters and converted it into law as the California Consumer Privacy Act (CCPA).
And the politicians did this all in…seven days.
And people say the government isn’t efficient.
So, with privacy Armageddon avoided, the even more fantastic development with the CCPA is the law was drafted to take into account the resources – or lack thereof – of small businesses.
Critics justifiably rip the EU for failing to take into account the size of businesses when issuing GDPR compliance requirements. Your aunt who you set up a blog for so she can show her fruit canning techniques to others has nearly the same obligations under the GDPR as Facebook. The EU’s failure to recognize that small business owners often can’t afford the cost of complying is why the EU is regarded as an entrepreneurial desert of sorts. Seriously – name one major Internet company in the EU? Depending on how you define “major,’ few if any exist and it isn’t because Google and Facebook are hogging the market.
To its credit, the California Legislature proceeded with a more practical approach after recognizing that crushing small businesses probably wasn’t the best idea for keeping the state economy humming along. Given this, the California GDPR states that businesses must comply with the various privacy requirements under the law, but only if a business:
(1) has $25 million-plus in annual revenue, or
(2) derives 50 percent or more of its revenues from selling consumer data, or
(3) “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
So, there you have it. If your business doesn’t hit any of these thresholds, then you do not need to worry about the California GDPR.
The Potential Traps
Is there a potential trap in this loophole? Yes. A couple. Section two is a natural trap for companies selling leads. Even if you are a small company selling, oh, 50 leads a month, if that revenues from those leads constitute more than 50 percent of your revenues, you must comply with the new law.
A trap also exists in section 3 of the loophole. While the “50,000 or more” figure appears hefty at first glance, keep in mind that just collecting IP addresses from people who visit your site constitutes collecting personal information under the new law. Since the servers for most sites do so automatically, this provision suggests that if you are receiving more than 4,166 unique visitors a month [50,000/12 months] – you must comply.
There is some hope these traps will be closed by raising the threshold numbers used in each, but the outcome is currently unclear. The legislature is moving to amend the law as I speak, so keep an eye out for developments.
Frankly, the EU should be embarrassed. In seven days, California created and enacted a GDPR-lite that is superior to what the EU flogged into shape in four years.
Richard A. Chapo, Esq.