Sweeping New California Data Privacy Law Takes Effect

Ian McLin
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing Arnstein & Lehr LLP

On January 1, 2020, the landmark California Consumer Protection Act ("CCPA") took effect. The CCPA imposes specific rules regarding how certain for-profit companies doing business in California collect, store, and use California consumers’ personal information. Under the CCPA, such companies must implement reasonable security procedures to safeguard the personal information they collect and must allow California consumers to opt out of the sale of their personal information to third parties. Companies must further allow consumers access to any personal information the company has collected about them and, if the consumer so requests, must delete any such personal information. For more information about the obligations imposed by the CCPA, see here and here.

Beyond these ambitious new protections, the CCPA is unique in how it is enforced.  Unlike other data privacy laws, the CCPA expressly provides a private cause of action. Where a company fails to implement and maintain reasonable security procedures and, as a result, a California consumer's nonencrypted or nonredacted personal information is accessed or disclosed without authorization, the CCPA allows that consumer to bring a civil action against the company. Consumers may recover statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever are greater, and also may sue as a class.

The CCPA also provides for a more traditional method of enforcement. The California Attorney General may bring actions to enforce the provisions of the CCPA and may seek penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation. The California Attorney General may not bring such enforcement actions until July 1, 2020, however.

Insurers should be aware that they may see claims arising out of CCPA violations in the near future, and that insureds may seek coverage under a number of policies, including cybersecurity and data privacy policies. Insurers also should be aware that these claims may be substantial. Given the amount the CCPA makes available as damages per consumer per incident, a class action arising from a major data breach could yield a significant award. The same is true of an enforcement action brought by the California Attorney General where a number of consumers are affected by a business practice or event. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Saul Ewing LLP

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide