Last week I got a call from a client {Joe} asking about an email he had received suggesting they were required to be compliant with the California Consumer Privacy Act (CCPA).
“Dear Joe, There are some severe compliance issues on your website. For instance, there is no “opt out” link to meet CCPA requirements on the site. This is a mandatory requirement that can leave you vulnerable to a lawsuit. Is compliance important? I’ll share my screen, go through your site and give you a website overview. Next week, I’m free between 9am - 1pm PST, lmk what time works and I will send an invite for a call. …” — Joe
The email goes on to promote some products and services to address these compliance issues. What’s funny is that the author of the email never did answer the question “Is compliance important?”
Probably because it’s the wrong question. Generally speaking, “compliance” is certainly important, but the relevant question would have been “Is CCPA compliance important?” First, note that CCPA does not apply to nonprofit organizations or government agencies. How convenient, the CA State Government didn’t want to eat its own dog food. Shocker! The CCPA DOES apply to for-profit businesses that do business in CA. In the case of websites or web-based software, unless you are blocking visitors from California, it doesn’t matter if your business is based in California or not. If a California visitor uses your system, you’re doing business in California. There are certain criteria, however, that are relevant for CCPA; Your business must meet any of the following for CCPA to even be relevant:
Gross annual revenue of > $25 million; OR
Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; OR
Derive 50% or more of their annual revenue from selling California residents’ personal information.
Source: https://oag.ca.gov/privacy/ccpa Like many small to mid-sized, non-California based businesses, it’s likely a stretch that bullet # 2 (receive personal information of 50,000 CA residents, households, or devices….) might apply to your website or web application or even a mobile app you may have put out on the market. Yes, even a website can collect and store sensitive information from users because of anything from Google Analytics or a simple contact form. Even so, know this: “You cannot sue businesses for most CCPA violations. You can only sue a business under the CCPA if there is a data breach, and even then, only under limited circumstances. You can sue a business if your non-encrypted and non-redacted personal information was stolen in a data breach as a result of the business’s failure to maintain reasonable security procedures and practices to protect it.” source: https://oag.ca.gov/privacy/ccpa Additionally, the personal data would have to contain the first name (or first initial) and last name AND any one or more of the following:
Social security number
Driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
Financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
Medical or health insurance information
Fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs unless used or stored for facial recognition purposes)
source: https://oag.ca.gov/privacy/ccpa Drive-by lawsuits, especially with website ADA compliance issues have become a commonplace extortion practice amongst web trolls. It can be scary and we have seen businesses completely shut down by such practices. It’s unfortunate for sure. In this case, I reminded {Joe} of an important risk management formula:
RISK = LIKELIHOOD * IMPACT.
Sure, there is always some likelihood of a lawsuit. But in the case of CCPA, the lawsuit can only happen if there was a data breach… and for a data breach, there has to be some data. As far as impact goes, unless you are storing specific unencrypted and unredacted sensitive data and furthermore failing to maintain reasonable security practices, well there doesn’t seem to be much damage that could come from such a lawsuit. Don’t sweat this one out {Joe}.
Recent important changes: February 2022: Amendment proposed - https://www.natlawreview.com/article/ccpacpra-proposed-amendments-would-extend-hr-and-b2b-data-exemptions-or-would-they GA's Approach - https://www.jdsupra.com/legalnews/georgia-introduces-privacy-bill-2535502/