California is a pioneer in the frontier of data privacy. In 2003, California was the first state to pass a law requiring commercial websites to post a privacy policy. Last year, California did it again by passing the first comprehensive data privacy law in the U.S. Like the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act of 2018 (CCPA) imposes restrictions on the collection, use, and sale of personal information of consumers that previously did not exist under law of any state. The law is set to take effect on January 1, 2020.
Should Hawaii businesses be concerned about the CCPA? The CCPA will apply to many companies that do business online. Any Hawaii business with an Internet presence should evaluate if it must comply with the CCPA. In addition, the CCPA has inspired many copycat laws. In Hawaii, a bill proposing CCPA-like privacy protections was introduced in 2019 legislative session (SB 418), and although it did not pass, it would not be surprising if similar measures will be introduced in the future.
Applicability of the CCPA to Hawaii Businesses
Maybe you think the CCPA doesn’t apply to you because you don’t deal much with California customers or clients. If so, you might be in for a rude surprise. The CCPA is a hastily drafted law full of ambiguities. These ambiguities make the law potentially applicable to small businesses outside of California. The International Association of Privacy Professionals estimates that the CCPA will apply to more than 500,000 U.S. companies, most of them being small to mid-sized companies.
Consider this hypothetical scenario. You own a Hawaii-based business selling high-end bikinis. Your retail stores are located only in Hawaii, but you also sell your products on your website. Approximately 3% of your online sales are to California customers. Your website attracts 60,000 unique visitors per year. Under these facts, the CCPA as written probably would apply to your business.
Who Must Comply with the CCPA?
The CCPA applies to a “business,” which has a specific meaning under the law. Figuring out if you are a “business” that must comply with the CCPA is a two-step process. A “business” must be a for-profit entity that collects “personal information” of California residents and “does business in the State of California.” The Hawaii-based bikini business in the above scenario above is a for-profit entity that collects personal information of California residents. Whether it “does business in the State of California” is a murkier question because the CCPA does not define the phrase. However, it is highly likely that engaging in business transactions on the Internet with individuals living in California is considered “doing business in the State of California.”
If you meet the requirements in the first step, the second step is to determine if you meet one of the three thresholds:
- you have annual gross revenues of more than $25 million,
- you buy, receive for commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices residents, or
- you derive 50% or more of your annual revenues from selling personal information of California residents.
The first threshold is straightforward – your annual gross revenues either total $25 million (or more) or not. The third threshold is also fairly discernible, but what “selling” personal information means is not entirely clear.
Businesses should especially be concerned about the second threshold because it’s a trap for the unwary. The term “consumers” refers to California residents, so the second threshold is met if you buy, receive, sell, or share the personal information of at least 50,000 California-based consumers. But the “households” and “devices” referenced in the statute are not limited to those located in California. As currently written, the CCPA counts personal information collected from any household or device – not just those located in California or owned by a California resident – toward the 50,000 threshold.
Reaching the 50,000 mark also isn’t difficult given the broad definition of the terms “personal information” and “device.” Personal information includes IP addresses and cookies. A device refers to any physical object connected to the Internet. If your website tracks web traffic with a tool like Google Analytics, a person who visits your business website once each with a desktop computer, mobile phone, tablet, and laptop would add 4 hits toward the 50,000 threshold. Future regulations could clarify that the CCPA applies to households and devices with some nexus to California, but no such limitation exists now.
What Does the CCPA Require?
If the CCPA applies to your business, you and your service providers must honor certain rights that the law gives to consumers. These rights include:
- Right to access – the consumer is entitled to get a copy of the personal information that the business has collected about the consumer
- Right to deletion – the consumer may require a business to delete the personal information that it has collected about the consumer
- Right to knowledge – businesses must disclose what personal information about a consumer it has collected how it uses that information
- Right to control – before a business may sell personal information that it collects about a consumer, it must first obtain the consumer’s consent, and the consumer may at any time direct the business not to sell his or her personal information.
- Right to equal service – a business may not discriminate against a consumer for exercising rights granted by the CCPA
What Must I Do to Comply?
What a Hawaii business must do to comply with the CCPA is highly dependent on the nature of the business and its operations. Compliance means more than just revising the terms of use or privacy policy posted on a business website. Review and modification of internal processes could be required to enable a business to honor the consumer rights granted by the CCPA. Hawaii businesses should consult with IT professionals and legal counsel experienced in data privacy to determine the specific steps necessary to meet the requirements of the CCPA.