A new California Consumer Privacy Protection Act goes beyond requiring businesses to have privacy policies. It forces them to carefully structure how they gather and use consumers’ information.
The law, which became effective Jan. 1., is not limited to information gathered by a website. The law addresses all personal information gathered from consumers, even offline.
You may be thinking, “So what? My business isn’t located in California. Why should I care about this?”
If your business interacts with Californians while they are in the state, such as through your website or social media or on the phone, or if you ship goods to California, your business must follow the law even if it has no physical presence in that state.
The new law does not apply to all businesses. It applies if your business has more than $25 million in gross revenues. While the law is unclear, it appears that refers to money earned anywhere, not just from Californians.
Even if your business does not have gross revenue that high, the new law applies if the business earns 50% or more of its revenue from selling consumer information or if it annually sells the personal information of 50,000 or more consumers.
You should pay attention to the law even if your business is not big enough to be covered yet.California could broaden the scope of businesses covered.
Also, the federal government might soon enact a similar law to pre-empt the California measure and to prevent a patchwork of state laws from imposing inconsistent and Byzantine requirements.
Here’s a taste of how the California law works:
· The business must inform consumers at the point of collection of the categories of personal information it gathers and how that data is used.
· Upon request from a consumer, a business must disclose the categories and specific pieces of information collected about that consumer. The business must provide at least two ways for consumers to make such requests, including providing a toll-free telephone number.
· The consumer can require a business to delete information about himself or herself.
· A business must inform consumers of the right to opt out of the sale of the consumer’s personal information and honor opt-out requests. A business must put a link on the home page of its website titled “Do not sell my personal information.”
It’s best for businesses of all sizes to tackle this issue now rather than waiting for the legal environment to develop further, because that gives such businesses more time and flexibility in which to act.By John Farmer