California Consumer Privacy Act (CCPA): Impact on Your Florida Business

finger pressing key on keyboard with white lock icon and circle of yellow stars, consumer privacy, california consumer privacy act, impact on florida businesses

Cambridge Analytica and numerous high-profile uses of consumer data were a bridge too far for California lawmakers. Invoking California’s constitutional right to privacy, they enacted the California Consumer Privacy Act (CCPA), one of the broadest consumer protection and privacy laws globally. The law, passed by the California legislature in 2018, will enhance consumer privacy rights and protections for state residents. 

However, the California Consumer Privacy Act doesn’t affect just California businesses. The law applies to any company doing business with California residents, whether it is a California-based business or not. In effect, the law will radically change how Florida companies handle personal information if they conduct any business in California or with Florida residents. The CCPA will impact more than 50,000 businesses nationwide, including major corporations and small businesses. 

Businesses Affected by the CCPA

The CCPA went into effect on July 1, 2020, with the promulgation of final regulations by the California Attorney General’s office on June 1, 2020.

The law applies to any business that:

  • Collects personal information from customers and decides how the data is used or processed either directly or through a third party;
  • Operates in California and either (1) has gross annual revenues of $25 million or more; (2) buys, receives, shares, or sells the personal information of more than 50,000 consumers, households, or devices; or (3) makes at least half annual revenue from selling customers’ personal information.

Some businesses are exempt from the CCPA if they:

  • Collect and sell personal information entirely outside of California;
  • Make only a single transaction and do not retain collected personal information;
  • Sell personal information as part of a merger or acquisition;
  • Collect or sell personal information as required by law, cooperating with law enforcement, or defending legal claims; or
  • Do business within an industry that already has consumer data and privacy protections in place.

The law applies to any for-profit business entity, including corporations, LLCs, sole proprietorships, and partnerships.

Personal Information Covered by the CCPA

The CCPA covers a great deal of personal information, including traditional and nontraditional personal information. The law includes emails, addresses, phone numbers, account names, social security numbers, credit card information, and browsing histories. But the law expands personal information to include nontraditional such as:

  • Commercial information, including records of personal property, products or services purchased, or other purchasing histories;
  • Biometric information like fingerprints or facial data;
  • Olfactory, audio, visual, thermal, or electronic information;
  • Consumer preferences;
  • Psychological profiles, characteristics, trends, predispositions, behaviors, attitudes, intelligence, abilities, and aptitudes;
  • Geolocation data;
  • Professional or employment-related data;
  • Education information; and
  • Race, gender, or other protected information.

Notably, CCPA applies to both data collected online and offline, including customer data, potential customers, business contacts, and California employees.

CCPA Rules Regarding Minors

California’s new law also establishes new rules for the collection and retention of minors’ personal information. The CCPA raises the age of consent for data collection to 16 from 13. For kids under the age of 16, a parent or legal guardian must consent to collect a minor’s personal information. The law places the responsibility for affirmatively verifying a minor consumer’s age to “actual knowledge.”

Rights of California Residents Under the CCPA

The CCPA secures consumer rights for California residents that include:

  • The right to know information businesses collect about them and how businesses share it;
  • The right to delete some personal information businesses collect about them;
  • The right to opt-out of the sale of their personal information;
  • The right to not be discriminated against for exercising their CCPA rights.

For example, a business can’t charge a customer higher prices, provide lower quality goods, or refuse to sell to a consumer for exercising their rights under the CCPA. Businesses must also have at least two methods for California residents to make requests, including a toll-free number and a website address if the business maintains an online website.

Penalties for Failing to Comply

Businesses that fail to remedy CCPA violations within 30 days of notice can face fines of $2,500 to $7,500 per incident, depending on whether the violation was intentional or inadvertent. The CCPA also creates a civil action that customers can invoke, with statutory damages between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” Cal. Civ. Code § 1798.150(a)(1) (2018). Customers can seek statutory damages in addition to declaratory or injunctive relief. See id.

What Should Florida Businesses Do?

Consider these steps for your business to ensure compliance with the CCPA:

1. Follow the Data

Audit your data to gain a full understanding of all of the personal information your business collects. Then, follow or trace how your company handles information it currently collects from customers, employees, and business contacts in California. Consider how your business collects, stores, and maintains data and then look to all of your business to business relationships and ensure that any third parties also comply with CCPA.

2. Tailor a CCPA Program

Your business will need to implement a privacy policy and a data governance plan for all personal information the business collects. Businesses that fall under the CCPA will need to notify customers before collecting data, whether in-person, online, or by phone. Your business will need to maintain records of how consumers respond and procedures to respond to information, deletion, and opt-out requests. But using a policy that you cut/paste from the internet, or a privacy policy generator, won’t work for your CCPA program. Your business will need to work collaboratively with sales, marketing, business, and legal teams to ensure that your privacy policies and procedures comply with the CCPA.

3. Train Employees

After developing your privacy policies and data governance plan, it’s time to train employees. Your business will need to ensure that all employees comply with CCPA.

4. Update When Needed

Under the CCPA, businesses need to update online privacy policies at least every 12 months. Current regulations also require that these policies be reasonably accessible to those with disabilities and comply with Web Content Accessibility Guidelines.

When Uncertain about Your Business’ CCPA Compliance,
Contact an Experienced Business Law Attorney to Guide you.

If you have questions about the CCPA and how it affects your Florida business, contact the attorneys at Boyer Law Firm, P.L. We have attorneys specializing in business law and can schedule an appointment to accommodate your schedule.