Happy New Year – Reminder: The California Consumer Privacy Act (CCPA) is Now in Effect
Perhaps you saw the warnings throughout 2019 regarding the California Consumer Privacy Act (CCPA) going into effect on January 1, 2020. Maybe you also saw that the CCPA applies to a large swath of companies throughout the world, including many companies with no physical presence in California. The steep penalties for non-compliance with the CCPA, that may come from California’s AG and a statutorily ordained consumer class action (yes, a company can face both) caught most people’s attention. Those who are up to speed on the CCPA, know that the fines for CCPA violations might be much higher than fines for violation of other protection acts (Fact: the potential liability for CCPA violations can range from 50% to 500% higher than the TCPA – the Telephone Consumer Protection Act).
Risk-savvy business owners understand that regular policy audits, which both recognize and anticipate evolving legal trends, are the best way to ensure compliance with dozens of applicable data protection laws. We know how annoying that is (another reminder: we don’t make the law). You may have already gone through a significant business interruption because of the EU’s General Data Protection Regulation (GDPR). We also know that prophylactic legal spend on risk/liability reduction is not something business folks fantasize about. But the year is 2020. Data is more important than ever – and protection of data is paramount.
There are some similarities between the GDPR and the CCPA. The CCPA is potentially the beginning of the US version(s) of the GDPR as other states have already started the process of ramping up consumer data protection. But it is important to note that it is not safe to rely on GDPR policies alone. There are numerous provisions of the CCPA that are broader or quite different than the GDPR. We’d detail those here, but our research shows that the prospect of a deep dive in to the syntax and nuance of technical portions of a new California law may cause you to stop reading before understanding the true importance of paying close attention to the CCPA.
The CCPA, like most laws, has some gray area and some unsettled questions. For example, under the CCPA, you might be able to avoid certain fines if you can prove that you have fixed the violation(s) within a 30-day period. But, as a firm with lawyers who have advised several companies on data breach events and issues – we’re very interested to hear how someone can prove that they have “fixed” a data breach. Once a breach occurs, it is difficult to put the toothpaste back in the tube.
Many business owners are not equipped to handle the hoop-jumping required by the CCPA. For just a few examples, when the CCPA applies to a business, that business will need to (i) know how to calculate the value of personal data, (ii) know the record-keeping requirements of the CCPA and how to abide by them, (iii) know how to handle opt-out notification to third parties, (iv) have CCPA policies and training in place, (v) know the requirements for the sale of personal information, and preferably (vi) have an automated way to treat a deletion request as a “do not sell” request. While these are not the only action items, these are some of the harder tasks to scale, especially for a small or medium sized business.
The CCPA also has one of the broadest statutory definitions of “personal information” under current law in the US. Did you know that if you collect the “personal information” (as defined under CA law) of just one CA resident, then the CCPA applies to you? Whether you are a nationally recognized digital marketing agency in Manhattan or a boutique shop in Portland that sells small wooden birds over the internet, if you have “personal information” as defined under the CCPA of one California resident, you should ask legal counsel about the CCPA. Granted, there are exceptions and exemptions that may temper whether and how the law applies to you or your company (more on this here). But “personal information” is defined so broadly as to include common identifiers like cookies on your website. If the CCPA applies and you have a high traffic website, the liability caused by non-compliance could reach hundreds of thousands of dollars or even millions of dollars. TIP: Not sure if your website has cookies? Check here.
Will your cyber liability insurance cover the CCPA? Maybe. Some providers have expanded coverage to cover some or all of the new laws like the CCPA (e.g. GDPR, and Nevada’s new law that went into effect in October 2019). However, many policies exclude claims for damages resulting from the insured’s failure to maintain minimum adequate security measures. Cyber liability insurance policies like other insurance coverage often comes with exclusions for certain types of harm. Adding to this uncertainty, some Courts have even found that insurance policies may contain implied exclusions, even if those exclusions are absent from the policy’s explicit language. For these and many other reasons, you should still take all reasonable efforts to ensure compliance with data privacy laws to reduce the risk of a violation, which may or may not be covered by your cyber liability policy.
If a law applies to you, you are generally better off complying with the law, to avoid the risk in the first place. That being said, making sure your insurance covers fines, penalties and statutory damages connected with the CCPA and other applicable laws and regulations – is smart. As the CCPA plays out, the market will respond by scaling back coverage or increasing premiums.
As we begin 2020, and the CCPA and other new laws start to have a major impact on business, Pruvent wants to make your transition period as painless as possible, while helping you determine how best to avoid liability.