September 26, 2020

Volume X, Number 270

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

If You Do Nothing Else for the CCPA, Do This…

Secure your data. Really. If you do nothing else for the looming CCPA, secure the personal information you hold.

It’s not as if this hasn’t been either a sensible or a required step in the past. But if you haven’t been paying rapt attention to the cacophony of CCPA commentary, opinions, draft regulations, and urgent to-do lists, here is arguably the step that will have the most direct benefit: secure your data.

The California Consumer Privacy Act of 2018 sets a new, higher standard in the U.S. for a consumer’s control over their otherwise unregulated personal information. Putting aside the effectiveness of how companies implement the CCPA, Californians as of January 1, 2020 will have enhanced rights to access their data (1798.100), to request that it be deleted (1798.105), know what categories of their information have been collected (1798.110) and sold (1798.115).

As of January 1, 2020, data breaches in California — the world’s 5th largest economy — will become much more expensive — and perhaps the most expensive in the world. The California AG has the opportunity to intervene, but given the resource challenges, the reality is that the plaintiffs’ bar will own the lead.

California “businesses” are struggling to understand and implement these rules. Additionally, organizations are assessing how to revise their privacy policies, what operational changes are recommended to manage the law, and let’s not even touch the kerfuffle surrounding third party advertising and especially ad networks. Given the law’s ambiguity and the myriad questions the ‘clarifying’ draft regulations have derived, this leaves companies around the world wondering how to properly comply with the CCPA.

The CCPA provides consumers with many rights that most organizations already support. But, to the extent that a company falls short of the new requirements, keep in mind that most CCPA enforcement is delegated solely to the California Attorney General. Although the CA AG is an aggressive enforcer of California’s laws, there are many resource constraints. The AG’s office has many laws to enforce, and in the context of the CCPA specifically there may be high profile companies whose data handling attracts more attention that your own imperfect compliance.

The CCPA permits individual consumers to assert a legal claim for damages when the consumer’s personal information has been lost — or subject to a data breach in official parlance. This means that any data breach after January 1, 2020 involving California residents is subject to the CCPA and its statutory damages of up to $750 per violation. While $750/person is not a huge number, if there are a great many people affected the numbers add up and the attraction for plaintiffs’ lawyers is understandable.

All of this leads to the priority of securing personal information by all companies holding California personal information and especially those that cannot afford to comply fully. Organizations of all types will lose data. This is today’s reality. But if a company applies the data security guidance that the California AG has identified as constituting reasonable security, then a firm will have a significant defense against claims that the loss of personal information was irresponsible or inconsistent with best practice.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 346

TRENDING LEGAL ANALYSIS


About this Author

Peter McLaughlin Privacy & Data Attorney Womble Bond
Partner

Peter McLaughlin is a Privacy & Data Security attorney who advises clients with respect to a broad range of technology transactions, privacy and security issues. While maintaining a broad privacy practice, Peter focuses on innovative uses of data, especially with the life sciences and digital health sectors. He also guides clients in their domestic and international handling of personal information; new product development; and the assessment of legally defensible cybersecurity programs. The Legal 500 has recognized Peter’s work in the area of data protection and...

857.287.3113