All eyes are on California as the countdown to California’s Consumer Privacy Act (CCPA) continues. This attention is for good reason—the CCPA is a data privacy law with the potential to change the landscape of data collection practices in the U.S. Approximately 500,000 U.S. businesses in various industries will have to comply with this new law when it goes into effect on January 1, 2020. When the CCPA goes into effect, consumers may then exercise their private right of action. This means that consumers may bring a civil lawsuit against any business for a data breach and potentially recover $100 to $750 per consumer per incident. Additionally, after giving a business notice and thirty days to cure the violation, the California Attorney General may issue civil penalties up to $2,500 per violation or $7,500 per intentional violation. The California Attorney General may begin this enforcement on July 1, 2020 or six months after publication of the final regulations, whichever is sooner.
If you do business in California, here are some things you can start to do to prepare for the CCPA:
- Make an inventory of personal information, using the CCPA’s definition of “personal information” as a guide.
- Update your Privacy Notice and make other required disclosures wherever personal information is collected.
- Build technical capabilities and conduct necessary employee training to respond to verified consumer rights requests.
- Add “Do Not Sell My Personal Information” link and other technical opt-out capabilities (if your business “sells” personal information).
- Implement reasonable security practices and procedures.
- Add required contract provisions to service provider contracts (if your business “sells” personal information or desires limited liability).
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
© 2022 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern
- Data Security in the Remote-Work Environment – 10 Reminders Regarding Data Security and Cyber Attacks