California will be implementing the strongest electronic privacy law in the nation on January 1, 2020. However, provisions of the law mean that companies that collect and store data on California residents can be held accountable for data they store going back to January 1, 2019.
Starting January 1, 2020, California residents can request all personal data that an organization may have, going back 12 months. Any company that stores data on California residents will need to start now to make sure they are properly collecting and classifying California resident data starting January 1, 2019.
There are serious concerns among lawyers that this law will create a new minefield of litigation for businesses, and not only in those in California. Therefore it is important that organizations that store client data have their systems ready for requests, and also to ensure that those systems are properly safeguarded.
Some analysts believe that the new law will require any company doing business in California or with California consumers to comply, meaning that organizations in other states will also have to beef up their systems. As a result, this law could have national ramifications.
Under the new law, AB 375, any California resident will be able to ask any business that has collected their personal information for the types and categories of personal data the company has collected.
It also requires businesses to disclose the purpose for collecting the data, as well as whether they have sold it to a third party, the name of the third party, and for what purpose the data was sold. California residents can also ask the company to delete their data.
Reasons why lawyers are concerned
Here is what has defense attorneys and risk managers on edge about the law:
- Threat of lawsuits. If an organization notifies its customers that it has had experienced a data breach, California residents can immediately sue the company and be awarded damages without having to prove they actually suffered any real damages. They would only need to show that the organization failed to protect their data. Damages for a breach must be not less than $100 and no more than $750 per California consumer affected (or actual damages, whichever is greater).
- Compliance will get harder. The law requires companies that collect or hold data on California residents to safeguard that data and manage it more carefully.
- Data consolidation. Any company that holds data on California consumers will need to focus first on consolidating that data before securing it. That is because it is simpler to secure a single repository as well as perform search, review, production and retention/disposition of the data than if that data are stored in different applications with their own repositories.
- Higher legal, compliance costs. Because there is so much at stake, companies will have to spend more on both legal defense costs as well as hiring lawyers to evaluate compliance efforts. They will need to work closely with counsel to make sure they can show they are doing all they can to protect the data, and if they are sued, they may need to retain counsel.
- Infrastructure costs of compliance. Businesses will have to spend significantly to ensure they are complying with the law, even if they only have a few California customers. The key will be to remain compliant with the law while at the same time ensuring that operations don’t suffer as a result of doing so.
The takeaway
Any company doing business with California customers and which stores data on California residents will have to make sure they comply with the law, and also that they can quickly respond to a consumer that asks for their data and what they have been doing with it.
Business owners will also need to beef up security to avoid the possibility that their data will be compromised or breached.
Pundits expect similar laws to come on the books in other states and that the California law will serve as a model for them.
Jay is a graduate of the University of Pennsylvania School of Dental Medicine and also has an MBA from San Francisco State University. He has worked for a number of insurance carriers and brokers over the past 25 years. At UBF, Jay specializes in advocating for our clients in various issues, including grievances, benefit inquiries and eligibility issues.