Florida-based companies enjoy the benefits of a low-regulation state government. In fact, when it comes to requirements for data privacy protection, Florida has comparatively few applicable laws and regulations. But like the tourists who travel far and wide to visit the Sunshine State, data protection laws from other U.S. states, and even foreign countries, now apply to Florida corporations because of the far-reaching nature of the internet. Case in point, the California Consumer Privacy Act, or the CCPA, is having a seismic impact on companies everywhere, including Florida.

CCPA’s Extraterritorial Impact

Passed unanimously last year by both chambers of the California legislature, the CCPA is an ambitious effort to control the collection and sale of consumer personal data by any business that collects and uses it. Most critically, it requires businesses to provide a “do not sell my personal information” link on their websites. Given California’s clout as the fifth largest economy in the world, the CCPA has vaulted the state to the very leading edge of the privacy debate.

It is that same economic strength that is driving the application of the CCPA outside the borders of California. The CCPA applies to any company “doing business” in the state that has a gross annual revenue of $25 million, or annually deals in the personal information of 50,000 or more California consumers, households or devices. The act also impacts companies that derive more than 50% of their annual revenue from selling California personal information. Even sharing common branding with a company that meets these criteria subjects a business to the act’s requirements.

At first blush, the $25 million threshold seems like an easy out, but the threshold is $25 million overall, regardless of the specific amount coming from California. And “doing business” can mean that the company actively engages in any transaction for the purpose of financial or pecuniary gain or profit in California, including paying compensation to a single California employee.

If a Florida company falls within that definition, the CCPA gives California residents a number of rights, including requesting that a business:

• Disclose the categories and specific pieces of personal information it has collected;
• Disclose the categories of sources from which the personal information is collected;
• Disclose the business or commercial purpose for collecting or selling the personal information;
• Disclose the categories of third parties with whom the business shares the personal information;
• Delete any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions; and
• Not “sell” (broadly defined) the consumer’s personal information (the “do not sell” opt-out).

Businesses typically must respond to these requests within 45 days of receipt, and must provide certain easily accessible, cost-free methods for exercising these rights.

Moreover, the CCPA adds several new required substantive requirements that must be included in a privacy notice or policy, beyond existing California-specific requirements, including:

• A description of consumers’ rights under the CCPA;
• A description of the categories of personal information collected by the business in the preceding 12 months;
• The commercial and business purposes for which the personal information is collected;
• The categories of personal information sold or disclosed for a business purpose in the preceding 12 months;
• The categories of third parties with whom personal information is shared;
• A link to a “do not sell my personal information” web-based opt-out tool;
• A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy); and
• Two or more designated methods for submitting information requests, including a toll-free number and a website address (if applicable).

The law requires compliance with its provisions as of January 2020, which means immediate action is required to meet that deadline. Violations of the CCPA are subject to enforcement by the California Attorney General’s office, which can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided.

What Should You Be Doing Now?

If a Florida company meets the “doing business” requirements, what steps can it take to determine whether its compliant? First, create a data inventory of all the personal information collected, how its being used, and how its shared. Its critical to identify all the vendors and other third parties with whom personal information is being shared and review the existing contracts with those parties for compliance with CCPA requirements. Second, test what happens when a consumer makes a CCPA demand that your company not “sell” their information. Businesses should assess whether they can continue to operate and provide services if that request prevents processing by third party vendors. Lastly, the CCPA unlocks private causes of actions with potentially devastating statutory damages, but only in connection with certain data breaches. Businesses need to stay on top of their security practices to prevent that possibility.

Luis Salazar is the founder of Salazar Law, a minority-owned law firm specializing in complex data privacy and compliance matters. The Department of Justice has appointed him 25 times as Consumer Privacy Ombudsman to protect more than 40 million data profiles for consumers. He can be reached at [email protected].