The New California Privacy Law and Presumed Damages
At the end of June, California's legislature passed a new privacy law that in effect implements the strongest privacy controls of any state in the U.S. The new law provides a series of new rights to California’s consumers over how their personal data is collected, used, and sold. The new law will come into effect on January 1, 2020, however, on January 1 2020, California citizens will be able to request all data about them going back 12 months, or January 1, 2019. This means companies will need to ensure they are properly collecting and classifying California resident data starting January 1, 2019.
The new privacy law, AB 375, gives California consumers the right to ask any business that has collected their personal information, for the types and categories of personal information the company has collected. It also requires businesses to disclose the purpose for collecting the data as well as if they have sold it to a third party, the name of the third party, and for what purpose the data was sold. California citizens can also request their data be deleted.
A far-reaching provision of AB 375 is that of “presumed damages.” CA citizens may initiate a civil action to recover damages if they believe that an organization has failed to protect their personal data, i.e., a data breach. The possible damages of a breach equal an amount of not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer (per incident), or actual damages, whichever is greater. This means that if a breach occurs and consumer data is accessed or could have been accessed, the law presumes the data will be misused. Fines of $100 or $750 may not seem like much but figuring the possible size of the breach; the result could be in the millions of dollars.
For example, a company is hacked, and it is determined that 5000 accounts were accessed. The fines could reach $3.75 million -even if no actual damages can be proven! Of course, AB 375 does not layout any liability if the data was encrypted.
The days of “we’re sorry, here’s free credit monitoring” are gone
Another example. Many/most of us have received emails or letters in the past from large companies saying that they had experienced an “unauthorized breach and your data may have been accessed and stolen.” The company further says not to worry, they are providing you with one or two years’ worth of free credit monitoring – and you’re welcome!” Now, CA residents can immediately bring an action against the company and be awarded damages without needing to prove actual damages. And let’s not forget that this law will be a huge opportunity for attorneys filing class action lawsuits.
Data security and information management will take center stage
AB 375 raises the bar for much higher security for companies collecting or in possession of California resident data. The law also will force companies to be more aware of the consumer data they are collecting and manage that data more granularly. And preparing for the new California law (as well as the just-released GDPR) will be more complicated as other states look at adopting their own privacy laws. The question will be; will the other states adopt California’s law or will each come up with their own slightly different privacy regulation?
Considering this new security environment, companies will first need to focus on data consolidation followed by security. It is easier to secure a single repository as well as perform search, review, production, and retention/disposition on the data than working with several different application repositories with different rules and capabilities.
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.