Should Your North Carolina Data Collection Practices Comply with California Law?
On January 1, 2020, a California law on electronic data security went into effect. The Consumer Privacy Act (CCPA) will apply where a company:
Has Headquarters in California
Has Employees in California
Is incorporated in California
Qualified as a California ‘foreign entity
Is an out of state entity with sales/transactions into California
Has at least $25,000,000 in annual gross revenues;
Buys, sells, shares, and/or receives the personal information of at least 50,000 California consumers, households or devices, per year; or
Derives at least 50% of annual revenue from selling California consumers’ personal information.
The big change is that things like names, addresses and email addresses are now considered sensitive information that needs to be tracked and managed. Previously, sensitive data was social security numbers, driver’s licenses and bank account information.
Your business must be able to say what consumer data you collect, keep track of the sources from which that personal information was collected, the collection’s purpose, where personal information is stored, and the circumstances under which any data has been shared. Many companies do this already, but the stakes are much higher.
Consumers now have the right to request this collected information from businesses.They can ask for the deletion of any such information and to demand that their personal information not be sold.
Violations will result in a fine of up to $7,500 per violation. Additionally, consumers will be able to seek statutory damages of up to $750 per consumer if businesses experience security failures.
Most Legal Direction clients won’t be subject to this law, but building a customer-centric data collection practice is easier to do from the start than to upgrade later. The CCPA follows 2018’s European General Data Protection Regulation. These data-protection regimes are consumer-driven, and most experts predict privacy legislation will continue to put more requirements on business owners to protect their customer data.