Does The CCPA Affect My Business?

In the last few weeks you, like me, may have seen an unusual number of emails in your inbox from companies notifying you of recent changes to their privacy policies. This is not a coincidence. It is in response to the California Consumer Privacy Act (“CCPA”), which is set to go into effect on January 1, 2020.

The CCPA is widely acknowledged to be the most comprehensive piece of privacy legislation in the United States. The fact that it was passed in California—the epicenter of big tech in the United States—is at once understandable and surprising, given the political heft of that industry both in California and at the federal level.

Regardless of your thoughts on the politics of the CCPA, if you’re a Washington business owner, you’re probably wondering why it matters to you—after all, it’s a California law. While true, the CCPA will apply to certain companies that do business in California, regardless of whether the company is based in California or elsewhere, and for that reason all Washington companies doing business in California or planning to in the future should be aware of their obligations, to the extent they have any, under the CCPA.

Even if your company does no business in California, the CCPA should still be on your radar. As I’ve written elsewhere on this blog, California is regularly at the vanguard of setting policy that is later adopted by other states. With Seattle and the Puget Sound region emerging as a Silicon Valley competitor, Washington has a particularly strong incentive to keep pace with California as it competes for top tech talent.

If you need a reminder of this, look no further than Washington’s recent legislative restrictions on employee non-compete agreements (employee non-competes are largely banned in California.)

Related: Washington’s New 2020 Non-Compete Law

OK, if you’re still reading, I’ve convinced you the CCPA is important so let’s get into a few of the details.

Generally speaking, the CCPA applies to for-profit businesses that meet the following criteria:

1. Does business in California
2. Collects consumers’ personal information
3. Falls into one of the following categories
   • Annual revenue of more than $25 million
   • Buys or sells personal information of more than 50,000 consumers or households
   • Gets more than half of its annual revenue from selling consumers’ personal information

Reading this may ease some of your concern about the regulatory burden of the CCPA on your business. The average small business doesn’t have revenue exceeding $25 million, and plenty of businesses do no buying or selling of personal information. So it’s entirely possible your company has nothing to fear from the CCPA.

If, on the other hand, you think your company may be subject to the CCPA, you should seek legal help as soon as possible. Compliance with the CCPA will require close scrutiny of your existing data collection, sharing, and other practices, as well as an overhaul of your existing privacy policy, at the least.

Consequences of non-compliance with the CCPA may include injunctions and statutory penalties enforced by the California Attorney General. The CCPA also provides a private right of action for consumers who have been harmed by a business’ failure to comply with the CCPA.