The New Year will not be starting on a happy note for small businesses that suddenly find themselves subject to a California privacy law. They will have to invest much-needed revenue into satisfying burdensome rules or face the threat of costly penalties.
“Any organization that collects any amount of personal data from California residents – be it as innocuous as a cookie or device ID or as robust as customer information – and does any business in the state of California or with California residents will almost assuredly be subject to the regulation,” PMG programmatic media director Justin Scarborough told MarTech Today.
The California Consumer Privacy Act, known by the shorthand CCPA, takes effect Jan. 1. The law will guarantee consumers the right to know what information businesses collect about them, where they got it and what third parties they shared it with. Consumers also will be able to block sales of the data or demand that it be deleted. When they request details about the collected data, businesses will have 45 days to respond.
The rules will apply to businesses in the Golden State or elsewhere if they collect data about Californians. Businesses will have to abide by the rules if they meet one or more of three thresholds – $25 million in revenue per year, 50,000 consumer records sold per year or 50 percent of revenue per year from selling personal data.
While those bars might seem high at face value, it won’t take some small businesses long to hit the mark of 50,000 records in particular. “An individual who has a phone, tablet, PC at home and one at work counts as four users, not one,” the Associated Press noted.
California-based florist Jim Relles said in a column for the Sacramento Business Journal that small businesses like his could fall under the CCPA for keeping phone records, texting customers, tracking leads and buying digital ads – even if they don’t link the collected data to specific individuals.
“Relles Florist is not a big tech company,” he wrote. “The compliance costs of such an effort, in terms of person-hours and data capture, would be hard to bear.” The costs include software and either in-house or contract staff to implement the technology. One small businessman cited by AP estimated his costs at $7,000.
Relles said such costs could force shops like his to stop marketing online, where they turned because it is cheaper than newspapers and television. “It’s a high-tech version of the same old story: Small businesses will be at a competitive disadvantage in competing with larger players,” he predicted of the CCPA’s impact.
Entrepreneurs whose budgets allow them to cover the compliance costs still could be hurt by the CCPA because of penalties written into the law. Fines could be as high as $2,500 per incident for even unintentional violations, which are a real possibility considering how many companies have never heard of the law, according to a survey about the CCPA.
Consumers also could sue businesses under a “private right of action” for data breaches. The potential penalties range from $100 to $750 per consumer for each incident, and with no cap on total damages, successful lawsuits or settlements could bankrupt businesses.
“In the unfortunate but very realistic scenario of a data breach,” ImageWare Systems chief technology officer David Harding said, “small and medium-sized companies will be fined millions of dollars and may become financially impaired. Micro companies may be pushed into insolvency for simply exposing email addresses gathered through social media campaigns.”
The CCPA also poses a longer-term threat to small businesses because of California’s history of setting the policy pace nationwide. A Nevada law patterned after the CCPA already took effect in October, and lawmakers have introduced bills in New York, Texas, and Washington. Tougher privacy rules also are a hot topic in the nation’s capital.
The privacy road ahead could be bumpy for small businesses, but we’ll be here with them to help smooth the way as much as possible.