There are three new laws this year that are effecting my businesses so I thought I’d be them to your attention as well. They are from the States of California and New York but have ramifications for everyone. Law #1 grants the citizens of California the right to privacy and means changes for your website at the very least. Law #2 changes who can be considered an independent contractor and it includes incorporated businesses! Law #3 defines how securely you must store the data of New York residents. If you do business or contract with anyone or come into contact with data from New York or California these new laws likely apply to you.
Keep in mind that I’m not a lawyer so I’ve included links to the laws for your reference. I know that my businesses are impacted by these laws so yours might be too.
Law #1: The right to privacy
In the first one, the citizens of California have been granted the right to privacy. This act is similar to the rights to privacy granted to most of the worlds citizens today but not generally recognized in the USA. This act changes that. Here’s what it does for California citizens. https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
- Let’s them know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Allows them to say no to the sale of personal data.
- Allows them access to the personal data you collected from them.
- Allows them to request a business to delete any personal information about them
- And they cannot be discriminated against for exercising their privacy rights.
What kind of data are we talking about?
CCPA defines personal information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
An additional caveat identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, their name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Which for most of us this means our websites at the least if you are using something like Google Analytics to track visitors.
Who does this apply to?
Applies to any business, including any for-profit entity that collects consumers’ personal data, which does business in California, and satisfies at least one of the following thresholds:
- Has annual gross revenues in excess of $25 million;
- Buys or sells the personal information of 50,000 or more consumers or households; or
- Earns more than half of its annual revenue from selling consumers’ personal information.
Organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
What do you have to do to comply?
- Implement processes to obtain parental or guardian consent for minors under 13 years and the affirmative consent of minors between 13 and 16 years to data sharing for purposes.
- “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt out of the sale of the resident’s personal information.
- Designate methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
- Update privacy policies with newly required information, including a description of California residents’ rights.
- Avoid requesting opt-in consent for 12 months after a California resident opts out.
Law #2 Changes to independent contractor definitions
California has decided to bring people of the gig economy into work as full employees rather than independent contractors. They have cast a very wide net that is snaring all sorts of workers, business-to-business, franchises, and free-lancers. Lawsuits are going to be frequent with this law in order to figure out what exactly it’s going to come down to but for the time being its pretty terrible and might effect your relationship with contractors or even businesses that do work for you.
What is an independent contractor?
(A) The person is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact.
(B) The person performs work that is outside the usual course of the hiring entity’s business.
(C) The person is customarily engaged in an independently established trade, occupation, or business of the same nature as that involved in the work performed.
What business to business relationships can be considered an employee?
The law then goes on to restrict the hiring of incorporated businesses as contractors with a 12 point test. All points must be passed in order for the business to not be an employee of the contracting business.
(1) If a business entity formed as a sole proprietorship, partnership, limited liability company, limited liability partnership, or corporation (“business service provider”) contracts to provide services to another such business (“contracting business”), the determination of employee or independent contractor status of the business services provider shall be governed by Borello, if the contracting business demonstrates that all of the following criteria are satisfied:
(A) The business service provider is free from the control and direction of the contracting business entity in connection with the performance of the work, both under the contract for the performance of the work and in fact.
(B) The business service provider is providing services directly to the contracting business rather than to customers of the contracting business.
(C) The contract with the business service provider is in writing.
(D) If the work is performed in a jurisdiction that requires the business service provider to have a business license or business tax registration, the business service provider has the required business license or business tax registration.
(E) The business service provider maintains a business location that is separate from the business or work location of the contracting business.
(F) The business service provider is customarily engaged in an independently established business of the same nature as that involved in the work performed.
(G) The business service provider actually contracts with other businesses to provide the same or similar services and maintains a clientele without restrictions from the hiring entity.
(H) The business service provider advertises and holds itself out to the public as available to provide the same or similar services.
(I) The business service provider provides its own tools, vehicles, and equipment to perform the services.
(J) The business service provider can negotiate its own rates.
(K) Consistent with the nature of the work, the business service provider can set its own hours and location of work.
(L) The business service provider is not performing the type of work for which a license from the Contractor’s State License Board is required, pursuant to Chapter 9 (commencing with Section 7000) of Division 3 of the Business and Professions Code.
There are some exceptions. You’ll need to read this law fully to find out if any of them apply to the types of work that you hire out. https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201920200AB5
Law #3: New York Data Security Protections
In this law any data stored anywhere that belongs to a resident of New York falls into data protection rules. By accepting that data you are agreeing to be regulated under this law. This law says that you must protect that data, even if you are a very small business, so essentially everyone. This means that if you have any customers or business partners in New York that relationship comes with data security protections attached.
Here’s what you have to do to protect their data
Reasonable security requirement. (a) Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data. https://www.nysenate.gov/legislation/laws/GBS/899-BB
(b) A person or business shall be deemed to be in compliance with paragraph (a) of this subdivision if it either:
(i) is a compliant regulated entity as defined in subdivision one of this section; or
(ii) implements a data security program that includes the following:
(A) reasonable administrative safeguards such as the following, in which the person or business:
(1) designates one or more employees to coordinate the security program;
(2) identifies reasonably foreseeable internal and external risks;
(3) assesses the sufficiency of safeguards in place to control the identified risks;
(4) trains and manages employees in the security program practices and procedures;
(5) selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(6) adjusts the security program in light of business changes or new circumstances; and
(B) reasonable technical safeguards such as the following, in which the person or business:
(1) assesses risks in network and software design;
(2) assesses risks in information processing, transmission and storage;
(3) detects, prevents and responds to attacks or system failures; and
(4) regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) reasonable physical safeguards such as the following, in which the person or business:
(1) assesses risks of information storage and disposal;
(2) detects, prevents and responds to intrusions;
(3) protects against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of the information; and
(4) disposes of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
These requirements are really just good practices today and not terribly onerous. We can certainly help with this. Note that the law requires training. Cyber insurance also requires training. Have I mentioned that we have a trainer on staff? On-going training is now just a fact of life. The Internet moves at the speed of light and us mere humans have to try to keep up. Training is the only way. It should be on everyone’s annual plan.
How we manage our employee relationships is changing. How we manage and care for each others data is changing. Training is essential. These new laws represent a ground swell of new concerns that are going to sweep the Country. Not that we aren’t subject to these laws today, we are. But look for more and more to come every State in the nation. This is new normal so the time is now to begin your compliance strategy.
Harbor Computer Services is an IT firm servicing Southeastern Michigan. We work exclusively under contract with our clients to provide technology direction and either become the IT department or provide assistance to the internal IT they already have. We have won many awards for our work over the years, including the worldwide Microsoft Partner of the Year in 2010. We’re the smallest firm to have ever won this most prestigious award. Most recently we were recognized as one of the top 20 visionaries in small business IT by ChannelPro Magazine (2015). And in 2016 as the top Michigan IT firm for Manufacturing. There are a few simple things that make Harbor Computer Services the best choice for your business. •We are Professionals •We are Responsible •We are Concerned About The Success of Your Business