LOS ANGELES—While California’s new data privacy law appears to be generally aimed at big tech companies that sell consumer data, some suggest that mom-and-pop businesses are the most likely to experience a tightening of the thumbscrews.
John Kabateck, the California state director for the National Federation of Independent Business (NFIB), said the biggest problem for small and medium-sized businesses is the sheer lack of knowledge of what is required from them in 2020.
The California Consumer Privacy Act went into effect Jan. 1. It requires businesses that collect consumer data to give consumers access to that data and allow them to refuse its sale to third parties. Consumers may also request that companies delete the data associated with them.
“Every Californian deserves to have safe and secure knowledge of their personal information,” Kabateck said. “But this law, unfortunately, has more problems than solutions, and it’s going to add to an Armageddon of confusion and devastation for small businesses in the Golden State.”
“They may think they’re smacking it to the big guys,” he said. “But it’s a lot of these already fragile, already struggling business owners that are already feeling the confusion and fear and frustration with this law.”
According to NFIB, which represents over 15,000 members in California, small businesses must pay three times more than larger corporations to comply with the law.
A report prepared by Berkeley Economic Advising and Research for the Attorney General’s Office found that small businesses with fewer than 20 employees are going to be on the hook for a minimum of $50,000 per year in compliance costs.
“Let’s not forget: most small businesses don’t have legal teams, HR departments, administrative teams, and IT divisions to help them sift through this massive law,” Kabateck said.
“Mom-and-pops, which make up most of the state, don’t have those resources at their fingertips, and at the end of the day, they’re going to have to pay through the nose [in order to] comply and understand this.”
The Berkeley report estimated that the initial annual cost of compliance for businesses statewide would be $55 billion—the equivalent of 1.8 percent of California’s gross state product in 2018.
Challenges to Interpreting the Law
Legal experts have started to consider how the law might be interpreted and have identified parts that are unclear.“One [challenge] is just understanding what ‘personal information’ is,” said Joseph Lazzarotti, chair of the Privacy, Data, and Cybersecurity Practice Group at the firm Jackson Lewis.
“When you look at the definition of personal information, [the Privacy Act] said [it’s] basically any information that can be linked to an individual. Well, what does that mean? How far does that go? One of the amendments added ‘reasonably’ connected. Maybe that kind of contains it, but again it’s not as clear as it can be.”
“This is the first law of its kind in the United States, so there will need to be some period of time where companies ... absorb the rules and understand how they work in practice.”
“Of course, a lot of questions will come up during that process as well. It just takes time, and that’s the reality.”
Reece Hirsch, co-head of privacy and cybersecurity practice at Morgan Lewis in San Francisco, said there are a number of areas where the law would benefit from clarification.
“One important area is this definition of a ‘sell.’ Because, as currently written, it could include a broad range of uses of data by third parties,” he said.
“For example, the developed algorithms for artificial intelligence purposes, or for the delivery of online advertising, which is a huge industry [that could be] impacted by some of the new restrictions.”
“The dust has definitely not settled on the [Privacy Act] yet.”
“Businesses [are] in a bit of an uncomfortable bind because they’re striving to comply, but they don’t know all the rules yet.”
Enforcement
Hayley Tsukayama, a legislative analyst for the nonprofit Electronic Frontier Foundation, said the timeline for implementation is unusual. The law took effect on Jan. 1, but the attorney general’s regulations on how to enforce the law won’t be finalized until July.According to Tsukayama, the Privacy Act is a huge step forward, but not perfect. She believes the law would benefit from stronger enforcement.
“Right now, the [Privacy Act] centralizes all enforcement in the Attorney General’s Office, which has a small staff of privacy-focused personnel,” she said.
“We’d like to see enforcement expanded—ideally with a private right of action—so that every individual can sue companies for violating any of their ... privacy rights [covered by the Act].”
Tsukayama said that the Electronic Frontier Foundation worked with legislators early in the 2019 session. The Foundation wanted to include an additional element to the law aimed at further empowering consumers, but that element didn’t make it in.
“Right now, consumers have the right to ask companies to stop selling their information—that’s huge,” she said. “But the law we proposed would have required companies to make the requests: to come to you before they sold your information.”
In Kabateck’s view, an ideal iteration of the Privacy Act would strike a better balance between consumer and business interests.
“Laws like this need to work for consumers and small businesses alike,” he said.
Kabateck strongly advises small business owners to seek professional legal counsel when it comes to compliance.
“We’re just trying to make sure we can get them educated,” he said. “And [we’re] trying to find ways to fix this terrible law.”