Q: I have been getting emails and letters from various consultants and organizations stating that as of Jan. 1 we have to comply with the new California Consumer Privacy Act (CCPA). The act is supposedly the toughest in the nation and will be a model for other states. I think compliance would be burdensome and would probably force us to hire one of those consultants to help us comply. If our agency is not located in California, do we have to comply with the law? What if we have just an IC in the state? Are there any other privacy laws that we need to comply with?
A: As was the case with the EU's General Data Protection Regulation (GDPR), there is now a whole industry of consultants and other experts, including lawyers, who advise small businesses about complying with privacy laws that they don't need to comply with. Even agency franchises and consortia are getting into the act, according to emails that I have seen.
The CCPA does not apply to any business unless it: a) has annual gross revenue in excess of $25 million, b) buys or sells the personal information of 50,000 or more consumers or households or c) earns more than half of its annual revenue from selling consumers' personal information.
In the travel agency business, only the first criterion is relevant. The term "gross revenue" is not defined in the law, but in the travel agency business, it means commissions, overrides, fees and markups. It would not include money passed to suppliers because that money is the suppliers' gross revenue.
Using the Travel Weekly 2019 Power List, which lists "sales" instead of revenue, and assuming that gross revenue is typically about 10% of sales, the $25 million criterion means that only the top 43 travel companies in the country are subject to the law. If you do not need to comply, it does not matter whether you are located in California or have employees or ICs there.
As with the GDPR, you could also be required to comply with the CCPA if a corporate client's contract requires you to comply. Ideally, try to amend the contract to state that you will follow the CCPA only to the extent that it is applicable to your business.
You can find a good summary of CalOPPA and sample policies here.
The law also has detailed requirements for your home page's link to the policy. There is no requirement that the user hit an "accept" button.