Legal insightMarketingStartups

California’s New Privacy Act Puts the Crunch on Small Businesses

The California Consumer Privacy Act (CCPA) is the sleeping giant of data protection laws. When it went into effect on January 1, 2020, the CCPA gave the United States its strictest regulations yet for protecting customer information.

By Venkat Ramasamy, COO, FileCloud

Consumers should feel better about their privacy and the stringent rules that hold companies responsible for protecting their personal information. And most of the big tech enterprise companies should be fine, too. They have systems and processes in place for handling data and, perhaps, more importantly, legal teams that will guide them and advocate for them. But the biggest potential victims of CCPA—even inadvertently—are small businesses. 

Most small businesses don’t plan to sell your data to anyone. They’re too busy selling goods they made themselves or helping people buy homes. Under the CCPA, however, it’s against the law to buy, sell, receive or share the personal information of more than 50,000 California residents.

That may sound out of reach for most businesses, but consider that it’s less than 150 people a day. It’s 0.13% of California’s population or just under 1 out of every 800 people in the state. 

Small businesses often buy sales leads from data brokers to help sell their products and services. And they typically buy them in numbers much higher than 50,000.

The primary target at this point should be these giant data brokers, who are sitting on the personal information of hundreds of millions of people and who collect and profit from our data. It’s good news that these data brokers are within the scope of CCPA, but it doesn’t make sense for small businesses to jump through the same regulatory hoops.

Those small businesses won’t be able to skirt the rules like other larger companies. The CCPA has carved out an exemption around the federal Health Insurance Portability and Accountability Act (HIPAA). Businesses charged with protecting information about your health can potentially wriggle free of CCPA’s privacy regulations by claiming this exemption. It could have a considerable impact, especially in the wake of Google gathering personal health data from millions of Americans. 

A much wiser approach to CCPA would be to focus on the most prominent known offenders first. Regulators would be able to establish best practices and then roll out future versions of the law that don’t overstep on the country’s small business owners.

There’s no stopping CCPA, even though a recent eMarketer poll found that only 8% of U.S. businesses said they were prepared. Only a third expected to be able to meet the January 1 deadline, and 11% said they had no plans to prepare.

Many small businesses won’t be able to survive a big fine. For a regulation that is likely setting a national precedent, CCPA is falling short of serving the companies that are the foundation of the U.S. economy. The Small Business Administration estimates there are 30.2 million small businesses in America. That’s 99.9% of all the businesses in the United States. It’s a shame that regulations designed to bolster consumer privacy also make it harder for America’s entrepreneurs to do business.

Venkat Ramasamy, COO, FileCloud

Venkat leads business strategy, partnerships and marketing functions at CodeLathe. He comes with over 15 years of experience as a Product Development Manager at Schlumberger and as a Product Manager at Garmin. Venkat holds a MBA from UT Austin and a Master of Science in Information Systems from Texas Tech University.