How the CCPA, CalOPPA, and GDPR impact North Carolina businesses: California and EU information privacy laws


Whether you call it information privacy, data security, or more generally understand the topic from a privacy policy posted on a website, businesses have amassed a considerable amount of private data on their consumers, customers, website visitors, and employees.

In the wrong hands, that information could lead to identify theft, blackmail, discrimination, lawsuits, and a public relations nightmare. It is not uncommon to collect social security numbers, drivers license numbers, physical addresses, email addresses, order histories, IP addresses, employee evaluations, and geographic information via websites, apps, and normal business practices.

North Carolina is not a big proponent of information privacy, leaving companies in Charlotte, Asheville, Durham, and Raleigh primarily following a few federal privacy laws organized under the FTC (not an inclusive list, but generally including health information, users 13 years old or younger, companies heavily in the financial industry, or generally utilizing unfair or deceptive trade practices in their privacy notice).

A competent privacy policy can save a North Carolina company from federal and state fines, but can laws in the California or Europe apply?

Is your company covered if it follows federal and North Carolina law?

Lawyers rarely have a short yes or no answer and this is no different, especially with the ever evolving privacy laws. Privacy laws additionally leave up a lot to interpretation. That’s a problem when failing to comply puts companies risk of civil liability and very expensive fines.

The answer is: it depends. Does the company consumers or customers in California or Europe? Clients are easy to categorize but Californian or European consumers is tougher. While they may not have paid you any money, but if they visit your website, request information, or email questions likely means you are processing their information.

California was one of the first states to require notification of a security breach. North Carolina and most other states have followed suit. But stronger laws have sprout up since that time.

The California Online Privacy Protection Act (CalOPPA)

CalOPPA applies to any website that collects personally identifiable information (PII) about California residents. That’s pretty easy to do, as collecting a resume from a California resident or a potential customer from California entering their contact information should put your website under CalOPPA’s scope.

The good news is most basic privacy notices, more commonly referred to as privacy policies, are formulated off of CalOPPA requirements. The privacy notice, commonly visible to web visitors via popup, must include:

  • what type of personal information is collected;
  • the types of third parties the information may be shared with;
  • if and how one may review and request changes to their information;
  • how privacy policy updates are performed;
  • “Do Not Track” compliance; and
  • an effective date for the policy.

These are basic privacy requirements that apply to a lot of North Carolina companies. It makes business sense to comply with these basics to limit FTC fines, lawsuits, and bad publicity in the case of data breaches.

The California Consumer Privacy Act (CCPA)

The CCPA was signed in 2018 and officially becomes law on January 1, 2020. The new law means stronger privacy requirements for larger companies with contacts with California. The law targets companies earnings $25 million or more per year, collects data on 50,000 or more consumers, households, or devices, or earnings 50 percent or more of their revenue in selling personal information.

Generally, the CCPA gives better notice to consumers about their right to opt out, make it easier to request their personal information, and provides added protection for children.

The General Data Protection Regulation (GDPR)

Remember in the middle of 2018 when you received no less than a thousand privacy policy updates? Thank the EU’s strong GDPR law. Thanks to a broad scope similar to California law, the GDPR applies to any company that collects information on EU residents, ranging from logging an EU IP address to capturing an EU resident’s social media post. There’s countless ways for any expanding North Carolina to fall under GDPR law and millions in annual fines.

The GDPR is the most expansive privacy in this article, and there’s no way to cover all 99 provisions. While similar to the newest California law, the GDPR includes countless requirements primarily surrounding privacy be design throughout the data life cycle. Privacy by design means, in part, developing business practices, infrastructure, and information technology through a privacy lens.

It is an intensive process that requires multiple company officers to identify, design, institute, train, audit, and modify a privacy policy. The difficulty is why even top companies like Google have already received substantial fines.

Choices for North Carolina companies

Privacy may not be a big issue for small and local businesses, especially those without websites or without online sales. For others, especially those with expansion plans or a digital component, these privacy regulations will soon apply. Make no mistake that other states will improve their privacy laws, and federal requirements are certainly on the horizon.

Businesses will have to change their privacy practices to allow better rights to consumers and customers, whether from laws coming from California, the EU, future legislation, or existing FTC requirements. It is important to get ahead of privacy issues early to help prevent data breaches and limit compliance costs as business practices grow.

A qualified privacy attorney can assist with developing privacy policies to protect both the business and their clients. Contact our attorneys to learn more about your options. Spengler & Agans offers a flat-rate legal checkup for startups and business needing a broad, overall legal review of their business and business practices, including privacy issues.

Contact Us
Sending