Consumer privacy law can affect businesses across United States

By Joyce M. Rosenberg

AP Business Writer

NEW YORK (AP) — If the thousands of Californians who use Josh Simons’ app for musicians demand next month that Vampr delete their personal information, Simons will be ready to comply.

The social network company expects to be one of many businesses nationwide subject to the California Consumer Privacy Act, a law that takes effect Jan. 1 and gives consumers control over the personal information companies collect, store and often share with other enterprises. Simons, who already had a user privacy policy in place before the act became law last year, has retooled the policy and the Vampr app.

“We have half a million users around the world,” Simons says. “It’s definitely something we have to keep in mind.”

Companies across the country need to be aware of the law’s complex requirements even if they don’t deal directly with consumers. It covers companies that conduct business in California, including out-of-state companies that sell products or merchandise to California residents. The law can also cover companies that make money from providing services like payment processing or website hosting to businesses that are subject to the law.

The law does have provisions aimed at exempting small businesses — companies are subject to the law if they have worldwide revenue above $25 million, collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; or those who get at least half their revenue from selling personal information. But small companies can easily reach the 50,000 threshold for collecting or receiving information — an individual who has a phone, tablet, PC at home and one at work counts as four users, not one.

Vampr is currently about 1,000 users shy of the threshold, but Simons expects the app will reach that milestone sometime in January. The Santa Monica, California-based company’s home state is its biggest market.

The law aims to protect consumers from having their information sold without their knowledge or consent. It was passed by the California Legislature in June 2018, and modeled on the European Union’s General Data Protection Regulation, which took effect in May 2018. The California law was enacted amid increasing concern about companies sharing consumer data, especially after it was learned that the data firm Cambridge Analytica improperly accessed Facebook user information.

The California law gives consumers the right to know what personal information companies collect from them, and what businesses do with it — whether they share, transfer or sell it, and who is the recipient of the information. Under a key provision, companies must give consumers the option to have their information deleted from databases.

The law covers a wide range of data including names, addresses, Social Security and passport numbers, email addresses, internet browsing histories, purchasing histories, personal property and health information, professional or employment information, educational records and information from GPS apps and programs.

Companies subject to the law must ensure their systems and websites are in compliance. Many without in-house technology staffs have hired companies to install software that among other things creates the website buttons and links that allow consumers to see their information and opt out of having it stored. Some companies may decide to get legal help to be sure they’re on the right track. Simons, who himself installed the software to make Vampr compliant, estimates the process cost the business $7,000, a large sum for a small company.

While the California statute takes effect Jan. 1, enforcement won’t begin until July 1. And the law as it stands now may change — the Legislature has already passed a number of amendments.