February 21, 2020

Think California’s New Privacy Law Doesn’t Apply to Your Business? Think Again.

by Adam Steele, Mac Murray and Shuster

As Mark Zuckerberg disclosed to Congress last year how Facebook user information is collected, tracked and sold as one of the most valuable business commodities in our modern economy, the vast majority of consumers were shocked. It was just one of multiple consumer data revelations that sparked a wave of award-winning documentaries, social outrage and, most importantly for businesses, consumer protection legislation. Now, the year 2020 has ushered in new privacy and data protection laws and a legislative trend that indicates more are coming.

The California Consumer Privacy Act (CCPA), which took effect on Jan. 1, is inarguably the most impactful of these new laws that you may not have realized affects your Ohio business. It includes numerous consumer disclosure requirements and operational revisions to the way businesses handle personal information, including providing consumers with the right to know how you’ve handled their data and request that you delete all of it from your records. So, how can this west coast privacy law reach Ohio businesses? It’s not as difficult as you might think.

The CCPA applies to any Ohio business that 1) collects the personal information of California resident(s) and 2) does any one of the following:

  • Earns $25 million or more in annual global revenue,
  • Handles the data of 50,000 people, devices, or households from California per year, or
  • Earns at least half its revenue from selling the information of California residents.

To be clear, a single transaction with a California resident places you on the hook for CCPA liability, including a fine of up to $7,500 per violation. One particular industry that is uniquely poised for unsuspecting compliance is our state’s automotive dealerships. In my practice providing compliance counsel to dealers, I’ve seen a growing trend of coastal consumers shopping for and purchasing vehicles online from Ohio dealerships to take advantage of more affordable midwestern prices. If a dealership takes part in such a transaction with a single California resident and has $25 million in annual revenue, it is now CCPA liable. And a purchase is not necessary to incur liability. A California resident merely filling out the dealer’s online contact form to request information about a vehicle also satisfies that requirement, as technically, the dealer has collected their personal information with this step.

While California is just one state, its reputation for trendsetting automotive regulation and consumer-friendly legislation is manifesting itself as other states begin looking to the CCPA as a template for their own consumer protection laws. Similar legislation has already been introduced in a number of states including Washington, Maryland, Massachusetts, Minnesota and Pennsylvania, and a number of other states are considering bills for introduction in their 2020 legislative sessions.

In other words, state privacy regulation is the new norm that is sweeping the nation. Ohio businesses will be on the hook across the country for compliance long before Ohio introduces its own privacy law, whenever that may be. Now is the time to begin preparing your business for its privacy future.

How can this west coast privacy law reach Ohio businesses? It’s not as difficult as you might think.