All eyes are on California as the countdown to California’s Consumer Privacy Act (CCPA) continues. This attention is for good reason—the CCPA is a data privacy law with the potential to change the landscape of data collection practices in the U.S. Approximately 500,000 U.S. businesses in various industries will have to comply with this new law when it goes into effect on January 1, 2020. When the CCPA goes into effect, consumers may then exercise their private right of action. This means that consumers may bring a civil lawsuit against any business for a data breach and potentially recover $100 to $750 per consumer per incident. Additionally, after giving a business notice and thirty days to cure the violation, the California Attorney General may issue civil penalties up to $2,500 per violation or $7,500 per intentional violation. The California Attorney General may begin this enforcement on July 1, 2020 or six months after publication of the final regulations, whichever is sooner.
If you do business in California, here are some things you can start to do to prepare for the CCPA:
- Make an inventory of personal information, using the CCPA’s definition of “personal information” as a guide.
- Update your Privacy Notice and make other required disclosures wherever personal information is collected.
- Build technical capabilities and conduct necessary employee training to respond to verified consumer rights requests.
- Add “Do Not Sell My Personal Information” link and other technical opt-out capabilities (if your business “sells” personal information).
- Implement reasonable security practices and procedures.
- Add required contract provisions to service provider contracts (if your business “sells” personal information or desires limited liability).
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2019 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Class Action Litigation
- Privacy Laws
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- California's New Privacy Law is Coming - Are You Ready?
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg