California’s New Privacy Laws: What to Expect

Data security and consumer privacy are two of the biggest issues dominating today’s privacy law landscape. As harmful data breaches continue to grab headlines, we’re seeing strong reactions across the industry, from consumers who are looking to the law for protection, to legislators who are busy enacting new laws designed to meet the data security challenges that go hand-in-hand with today’s technological era.

Few laws are getting more attention than California’s upcoming privacy law, the California Consumer Privacy Act. Whether or not your business is located in California, your activities are likely to be impacted by the legislation’s broad reach. The law comes with major implications for data security and the potential for much litigation.

The good news is that, by understanding what the future holds, you’ll be in a better position for compliance once the important new legislation takes effect.

CCPA 101: What the Legislation Says

Passed last year, the CCPA is set to take effect on January 1, 2020 and has far-reaching implications for businesses that handle consumer data, particularly businesses that engage in any form of digital advertising (which is most businesses these days).

The CCPA is, at its core, a robust disclosure law designed to ensure that companies’ current methods for data collection and gaining consumer consent are adequate. Under the new law, California citizens will have the right to know what personal information is collected about them, what the purported business purpose is for collecting that information, and whether that information will be shared or sold (and with whom). Consumers will also have the right to request that businesses not sell their personal information to third parties and the right to access whatever information businesses have collected about them, even if it came from third-party sources.

Whether or not it was their original intention, technological advancements have positioned most companies as huge repositories of consumer data, much of it sensitive. The CCPA doesn’t limit personal information to just identifying information, but also information on online activities like browsing and search history or social media activity – essentially, your Social Security number and your Instagram likes are treated equally under the new law.

That means that the law has major implications for digital advertising. Companies need to understand both the law and how their digital advertising activities have the potential to impact data security in ways that will trigger the law’s new requirements.

The Expected Onslaught of Litigation

Consumer protection and privacy have long been a hotbed for litigation, much of it coming under the Telephone Consumer Protection Act (TCPA), passed in 1991. The TCPA is currently the source of more class actions than any other law. The CCPA is expected to exceed it in that regard.

The TCPA is more narrowly tailored, whereas the CCPA allows for far more potential violations. By giving consumers a narrow private right to sue under the CCPA for data breaches, the law is expected to lead to a flood of class action suits similar to, and potentially dwarfing, that seen under the TCPA.

Because many companies are not prepared to comply, these will be perceived as easy cases, as well as high-value cases given that they allow for statutory damages. Specifically, the law allows for uncapped statutory penalties of $750 per breached record – for companies that have data on thousands or even millions of consumers, the damages potential is extraordinary.

How to Prepare

How the CCPA and its ensuing litigation will play out remains to be seen, but there are things you can do now to prepare and ensure that you’re compliant when the law takes effect.

First, you need to know what data you have. Implement a way of systematically analyzing it so you know what you have and where it is, why and how it was collected, how it has been or will be used, with whom it’s shared or sold, how long you intend to keep it, and whether you even still need it. You should also understand what relationships you have with third parties that have data security implications.

Second, because the CCPA is about disclosure, you need to know what your current privacy and notice policies are. The act has specific requirements for website privacy policies, so now is the time to make sure yours are brought up to compliance. You should also plan to regularly review them going forward in case the requirements change.