At the end of June 2018, California's legislature passed a new privacy law that in effect implements the strongest privacy controls of any state in the U.S. The California Consumer Privacy Act (CCPA) provides a series of new rights to California’s consumers over how their personal data is collected, used, and sold.
The new law will come into effect on January 1, 2020, however, on January 1 2020, California citizens will be able to request all data about them going back 12 months, or January 1, 2019. This means companies will need to ensure they are properly collecting and classifying California resident data starting January 1, 2019.
The new privacy law,
Because California has the fifth largest GDP on the planet and companies are not likely to create dual systems of mapping and processes to differentiate between Californians and its other customers, the regulation will impact the national and global economy as well, representing a seismic change for compliance procedures in the US, similar to how GDPR has changed privacy rules globally. As a result, enterprises are under pressure from the following seven impacts the regulation may have on business operations:
1. Presumed Damages
A far-reaching provision of AB 375 is that of “presumed damages.” CA citizens may initiate a civil action to recover damages if they believe that an organization has failed to protect their personal data, i.e., a data breach. The possible damages of a breach equal an amount of not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer (per incident), or actual damages, whichever is greater. This means that if a breach occurs and consumer data is accessed or could have been accessed, the law presumes the data will be misused. Fines of $100 or $750 may not seem like much but figuring the possible size of the breach; the result could be in the millions of dollars.
2. Explosion in Consumer Lawsuits
Many/most of us have received emails or letters in the past from large companies saying that they had experienced an “unauthorized breach and your data may have been accessed and stolen.” The company further says not to worry, they are providing you with one or two years worth of free credit monitoring – and you’re welcome!” Now, CA residents can immediately bring an action against the company and be awarded damages without needing to prove actual damages. And let’s not forget that this law will be a huge opportunity for attorneys filing class action lawsuits.
3. Accelerated Requirements for Compliant IT and Business Applications
AB 375 raises the bar for much higher security for companies collecting or in possession of California resident data. The law also will force companies to be more aware of the consumer data they are collecting and manage that data more granularly. And preparing for the new California law (as well as the just-released GDPR) will be more complicated as other states look at adopting their own privacy laws. The question will be; will the other states adopt California’s law or will each come up with their own slightly different privacy regulation?
4. Data Consolidation Becomes Priority #1
Considering the new security environment, companies will first need to focus on data consolidation, then security. It is easier to secure a single repository as well as perform search, review, production, and retention/disposition on the data than working with several different application repositories with different rules and capabilities.
5. Productivity Declines Due to Legal Oversight and Administration
Given the sheer number of hacks that occur regularly, this presumed damage concept has the potential of creating a litigation tidal wave of claims and financial exposure notwithstanding a company’s best efforts to keep its customer data safe. Regardless, organizations will be required to be much more thorough in their legal compliance with the regulation, resulting in much higher legal costs.
6. Uncertaintly as the Commerce Clause Challenges the Mandate’s Legality
Even though AB375 is limited to businesses that do business with California residents and thereby does not discriminate on its face, it can be argued that the practical effect of the law does place an undue burden on interstate commerce. Also, since AB375 contains an income generating mechanism for California - some would even say a new tax on businesses given the frequency of cyber data exposures - we can envision a Commerce Clause challenge.
7. Skyrocketing Compliance Infrastructure Costs
Many pundits expect the U.S. Congress to eventually pass a national privacy law. However, if the CCPA is left unchallenged, businesses will be forced to spend huge amounts of money to ensure compliance with the new regulation. Unless organizations are able to architect cost-effective solutions to address the mandate, operations will suffocate and consumers will suffer as a result from rising prices and lost jobs.
The CCPA is an alarm for technology professionals required to comply with this regulation because it is one of the first, in a queue of similar legislative initiatives focused on clamping down on consumer data privacy.
For businesses and their IT teams, regardless of location, this is an area that must be seriously considered in order to remain in compliance while maintaining seamless IT operations. Businesses are advised to plan their responses accordingly as the mandate is expected to set a trend throughout North America.
