Chat With Us

Intelligent Information Management in Your Azure Cloud

With Archive2Azure, the intelligent information management and archiving solution built on Azure Services, you’re able to maintain control over all your corporate information.

Learn More


Fast, secure, painless migration of data to the Microsoft Cloud

FastCollect takes the risk out of data migration to the Microsoft Cloud by providing 100 plus connectors for migrating a huge variety of structured, semi-structured, and unstructured data. FastCollect provides for the fast, secure, and trouble-free movement of data from on premise and cloud repositories to the Microsoft Cloud in a legally defensible manner.

Learn More


By: Bill Tolson on July 16th, 2018

Print/Save as PDF

The New California Privacy Law and Presumed Damages

California Privacy Act

CA 07142018_1At the end of June, California's legislature passed a new privacy law that in effect implements the strongest privacy controls of any state in the U.S. The new law provides a series of new rights to California’s consumers over how their personal data is collected, used, and sold. The new law will come into effect on January 1, 2020, however, on January 1 2020, California citizens will be able to request all data about them going back 12 months, or January 1, 2019. This means companies will need to ensure they are properly collecting and classifying California resident data starting January 1, 2019.

The new privacy law, AB 375, gives California consumers the right to ask any business that has collected their personal information, for the types and categories of personal information the company has collected. It also requires businesses to disclose the purpose for collecting the data as well as if they have sold it to a third party, the name of the third party, and for what purpose the data was sold. California citizens can also request their data be deleted.

Presumed Damage

A far-reaching provision of AB 375 is that of “presumed damages.” CA citizens may initiate a civil action to recover damages if they believe that an organization has failed to protect their personal data, i.e., a data breach. The possible damages of a breach equal an amount of not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer (per incident), or actual damages, whichever is greater. This means that if a breach occurs and consumer data is accessed or could have been accessed, the law presumes the data will be misused. Fines of $100 or $750 may not seem like much but figuring the possible size of the breach; the result could be in the millions of dollars.

For example, a company is hacked, and it is determined that 5000 accounts were accessed. The fines could reach $3.75 million -even if no actual damages can be proven! Of course, AB 375 does not layout any liability if the data was encrypted.

The days of “we’re sorry, here’s free credit monitoring” are gone

Another example. Many/most of us have received emails or letters in the past from large companies saying that they had experienced an “unauthorized breach and your data may have been accessed and stolen.” The company further says not to worry, they are providing you with one or two years’ worth of free credit monitoring – and you’re welcome!” Now, CA residents can immediately bring an action against the company and be awarded damages without needing to prove actual damages. And let’s not forget that this law will be a huge opportunity for attorneys filing class action lawsuits.

Data security and information management will take center stage

AB 375 raises the bar for much higher security for companies collecting or in possession of California resident data. The law also will force companies to be more aware of the consumer data they are collecting and manage that data more granularly. And preparing for the new California law (as well as the just-released GDPR) will be more complicated as other states look at adopting their own privacy laws. The question will be; will the other states adopt California’s law or will each come up with their own slightly different privacy regulation?

Considering this new security environment, companies will first need to focus on data consolidation followed by security. It is easier to secure a single repository as well as perform search, review, production, and retention/disposition on the data than working with several different application repositories with different rules and capabilities.

To find out more about the new California Privacy Law (AB 375), plan to attend Archive360’s upcoming webinar titled: Understanding the California Privacy Act scheduled for August 9 at 11:00 am ET. You can register here.

Register Now!

About Bill Tolson

Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.