As has been widely reported, California’s new privacy regime is set to come into effect on January 1, 2020. The law constitutes an expansion beyond California’s existing privacy laws, in particular California’s existing Shine the Light Law and the California Online Privacy Protection Act. Various provisions of the new law will apply to businesses with annual total revenue greater than $25 million (not just in California), that obtain or share for commercial purposes the personal information of 50,000 or more, or that get 50% or more of their revenue from selling or sharing PII. The law was passed quickly to avoid a similar voter-initiative ballot measure, and as a result has several ambiguities and apparent inconsistencies. It is therefore very likely that the law will be changed by amendment, and clarified through rules and regulations, before it comes into effect in 2020.
Companies can begin to think about how they would implement these measures, and follow what we anticipate will be further developments in the legislation itself and clarifying regulations issued to help companies address the requirements. In addition, also worth watching is the law’s treatment of private rights of action. The law does not contain a private right of action for violation of any of the disclosure or individual rights provisions, but it does provide a private right of action for consumers whose information has been compromised in a data breach resulting from inadequate security measures (subject to the California Attorney General taking over such action). This essentially codifies the concept of negligence in California data breaches and, by imposing statutory damages ($100-$750), may largely affect the pleading and proof of damages in data breach cases, which is often the issue of greatest dispute.
Putting it Into Practice: While the California Consumer Privacy Act will almost certainly change before it comes into effect in January 2020, companies may want to begin thinking about some of the core new provisions in that law. In particular, how to respond to consumer information and deletion requests. We will continue to monitor this law and anticipate that further details about compliance will be forthcoming from California, as well as potential modifications to the law itself.