California will be implementing the strongest electronic privacy law in the nation come Jan. 1, 2020, but provisions of the law mean that companies that collect and store data on Golden State residents can be held to account for data they store going back to Jan. 1 of 2019.
Starting Jan. 1, 2020, California residents can request all data an organization may have on them going back 12 months. Any company that stores data of any type on residents will need to start now to make sure they are properly collecting and classifying California resident data starting January 1, 2019.
There are serious concerns among lawyers that this law will create a new minefield of litigation for businesses, and not only in those in California. So it’s important that any organization that keeps client data needs to have their systems ready for requests, and also to ensure that those systems are property safeguarded.
Some analysts think the new law will require any company doing business in California or with California consumers to comply, meaning that organizations in other states will also have to beef up their systems to comply. As a result, this law could have national ramifications.
Under the new law, AB 375 also known as the California Consumer Privacy Act of 2018, any California resident will be able to ask any business that has collected their personal information for the types and categories of personal data the company has collected.
It also requires businesses to disclose the purpose for collecting the data, as well as whether they have sold it to a third party, the name of the third party, and for what purpose the data was sold. California citizens can also ask the company to delete their data.
Reasons lawyers are concerned
Here’s what’s got defense attorneys and risk managers on edge about the law:
- Threat of lawsuits – Under AB 375, if an organization notifies its customers that it has had experienced a data breach, California residents can immediately sue the company and be awarded damages without having to prove they actually suffered any real damages.
They just need to show that the organization failed to protect their data.
Damages for a breach must be not less than $100 and no more than $750 per California consumer affected (or actual damages, whichever is greater).
- Compliance will get harder – The law requires companies that collect or hold data on California residents to safeguard that data and manage it more carefully.
- Data consolidation – Any company that holds data on California consumers will need to first need to focus on consolidating that data before securing it. That’s because it is simpler to secure a single repository as well as perform search, review, production and retention/disposition of the data than if that data is stored in different applications with their own repositories.
- Higher legal, compliance costs – Because there is so much at stake, companies will have to spend more on both legal defense costs as well as hiring lawyers to evaluate compliance efforts. They will need to work closely with counsel to make sure they can show they are doing all they can to protect the data and, if they are sued, they may need to retain counsel.
- Infrastructure costs of compliance – Businesses will have to spend significantly to ensure they are complying with the law, even if they only have a few California customers. The key will be to remain compliant with the law while at the same time ensuring that operations don’t suffer as a result of doing so.
Any company doing business with California customers and which stores data on California residents will have to make sure they comply with the law, and also that they can quickly respond to a consumer that asks them for their data and what they’ve been doing with it.
Business owners will also need to beef up security further to avoid the possibility that their data will be compromised or breached.
Pundits expect similar laws to come on the books in other states, and that the California law will service as a model for them. So this is only the beginning.