California consumer privacy law can affect businesses across U.S.

By Joyce M. Rosenberg
AP Business Writer

NEW YORK (AP) — If the thousands of Californians who use Josh Simons’ app for musicians demand next month that Vampr delete their personal information, Simons will be ready to comply.

The social network company expects to be one of many businesses nationwide subject to the California Consumer Privacy Act, a law that takes effect Jan. 1 and gives consumers control over the personal information companies collect, store and often share with other enterprises. Simons, who already had a user privacy policy in place before the act became law last year, has retooled the policy and the Vampr app.

“We have half a million users around the world,” Simons says. “It’s definitely something we have to keep in mind.”

Companies across the country need to be aware of the law’s complex requirements even if they don’t deal directly with consumers. It covers companies that conduct business in California, including out-of-state companies that sell products or merchandise to California residents. The law can also cover companies that make money from providing services like payment processing or website hosting to businesses that are subject to the law.

The law does have provisions aimed at exempting small businesses — companies are subject to the law if they have worldwide revenue above $25 million, collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; or those who get at least half their revenue from selling personal information. But small companies can easily reach the 50,000 threshold for collecting or receiving information — an individual who has a phone, tablet, PC at home and one at work counts as four users, not one.

Vampr is currently about 1,000 users shy of the threshold, but Simons expects the app will reach that milestone sometime in January. The Santa Monica, California-based company’s home state is its biggest market.

The law aims to protect consumers from having their information sold without their knowledge or consent. It was passed by the California Legislature in June 2018, and modeled on the European Union’s General Data Protection Regulation, which took effect in May 2018. The California law was enacted amid increasing concern about companies sharing consumer data, especially after it was learned that the data firm Cambridge Analytica improperly accessed Facebook user information.

The California law gives consumers the right to know what personal information companies collect from them, and what businesses do with it — whether they share, transfer or sell it, and who is the recipient of the information. Under a key provision, companies must give consumers the option to have their information deleted from databases.

The law covers a wide range of data including names, addresses, Social Security and passport numbers, email addresses, internet browsing histories, purchasing histories, personal property and health information, professional or employment information, educational records and information from GPS apps and programs.

Companies subject to the law must ensure their systems and websites are in compliance. Many without in-house technology staffs have hired companies to install software that among other things creates the website buttons and links that allow consumers to see their information and opt out of having it stored. Some companies may decide to get legal help to be sure they’re on the right track. Simons, who himself installed the software to make Vampr compliant, estimates the process cost the business $7,000, a large sum for a small company.

While the California statute takes effect Jan. 1, enforcement won’t begin until July 1. And the law as it stands now may change — the Legislature has already passed a number of amendments to clarify and refine the law’s requirements, and the state Attorney General’s Office is still formulating regulations and guidance about the law.

Some of the law’s complexities grow out of the relationships between companies that use one another’s data, for example, in the case of a payment processor that must use credit card and other personal information provided by a retailer in order to complete transactions. In such cases, the service provider must sign a contract that prohibits them from using the data for any purpose other than what is stated in the contract, says Travis LeBlanc, an attorney specializing in cybersecurity law with the firm Cooley LLP in Washington, D.C.

Vendors that can connect with client companies’ systems can unintentionally be an entry point for hackers trying to steal personal information. That was the case when hackers were able to steal personal information for more than 60 million Target customers in 2013.

“Vendors are often a source of weakness,” LeBlanc says. “The CCPA helps encourage the company that has the primary relationship with consumers to take responsibility for that.”

Attorneys find some of the law’s provisions to be vague, making it unclear which companies need to comply. One provision says information is protected if it is sold or transferred “to another business or a third party for monetary or other valuable consideration.” Attorneys are wondering what “valuable consideration” means, says David Stauss, an attorney with expertise in technology law with the firm Husch Blackwell in Denver.

“This can really become difficult to apply,” Stauss says. “There are some things that are going to clearly be sales, but that’s a gray area.”

Some companies that won’t be subject to the law nonetheless are setting themselves up to be compliant. Some expect that other states will enact similar laws, while others are aware that data privacy is a sensitive issue they need to address.

“We’re in an evolving area where consumer sentiment runs very high,” says Dawn Barry, president of Luna Public Benefit Corp., a San Diego-based company that collects data for medical research. Although the nature of the company’s business makes it exempt from the California law, it nonetheless is compliant with the statute and Europe’s GDPR, Barry says.