Your Out-of-State Website May Be Subject to California’s New Data Privacy Law
Your Out-of-State Website May Be Subject to California’s New Data Privacy Law



California's laws regarding website accessibility pose numerous potential risks for companies, with penalties per violation of up to $7,500 under the California Consumer Privacy Act ("CCPA") A number of Clym customers have asked whether they are required to comply with CCPA if they’re not located in California. A recent court ruling, Thurston v. Fairfield Collectables of Georgia, LLC filed August 26, 2020, confirms that CCPA is likely to be enforced against almost any company whose website that sells to California residents, even if those California residents aren’t explicitly being targeted by the site.

What Happened in Thurston?

Fairfield Collectables ("Fairfield") is a Georgia-based online retailer that sell models of cars and other vehicles.  Fairfield has no California employees, nor does it own or lease property in the state. California consumers accounted for 10% of Fairfield’s consumer base, and 8% of its total sales, even though Fairfield never targeted or solicited California customers. The company averaged around $350,000 in sales to California customers per year. 

Thurston, who is blind and needs a screen reader to use the Internet, claimed that due to Fairfield's web design, she was unable to use or navigate their website, which deterred her from purchasing any of Fairfield's products (note that Thurston never actually made a purchase so companies should be aware that even if an individual does not become your customer, they may still have a claim against you as the website owner).  Thurston filed a claim under the Unruh Act, which is a California anti-discrimination law.

How Does A California Court Have Jurisdiction Over A Georgia Company?

The court ruled that Fairfield was subject to "purposeful availment" to California's jurisdiction, which is a concept where a business or person seeks the benefits from a state, whether they are the laws of a state or the market within the state. The general rule for whether websites create purposeful availment with a particular state is a sliding scale.  Online businesses with websites that are used to conduct business, enter contracts and involve repeated transmission of files are more likely than not considered to be availing themselves to personal jurisdiction within a state. These websites are typically considered as "interactive websites." subject to California jurisdiction.

 

The court determined that Fairfield had substantial connections with the State, citing the approximately 8% of sales to California residents, totaling on average $350,000 a year. 

Additionally, the court deemed that it was reasonable to apply jurisdiction, as Fairfield had the choice to not sell to Californians.

Why Does This Matter For CCPA?

As of 2020, California has the 5th largest economy in the world, so if you’re selling (or collecting data) online, you likely have California customers. Although this lawsuit addresses alleged noncompliance under the Unruh Act, this ruling suggests that any websites used by California residents may be subject to California laws and regulations, such as the requirements as outlined by CCPA.  Businesses all over the country (and the world) need to take note and determine whether they’re in scope for CCPA. It is now more important than ever for businesses to get a handle on their data privacy compliance protocols; if compliance isn’t achieved then financial penalties will likely follow.

 

How Can Clym Help?

Clym provides a cost-effective, scalable and flexible platform to help comply with CCPA, GDPR, and other laws as they continue to change. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.