State Senate Sets Controversial Amendment of Consumer Privacy Law Aside for Now, But Penalties Remain
The California Consumer Privacy Act of 2018 (CCPA), goes into effect January 1, 2020, and is intended to protect the use, sharing and selling of consumers’ personal information, amongst numerous other requirements. The CCPA has been amended once to date, with Senate Bill 1121 (signed into law in September 2018), for clarification and to address various technical issues.
Senate Bill 561 was introduced earlier this year and made a number of proposed modifications to the CCPA including the following:
As of May 16, 2019, however, the California Senate has set Senate Bill 561 on hold.
Why Does This Matter?
This is good news for California businesses, at least for now. This decision precludes individual consumer suits for CCPA violations. Further, it allows a reasonable amount of time to respond and address alleged violations of the CCPA. However, it is important to understand that the CCPA is likely to evolve over the next several years following its enactment. And, additionally, the federal government is presently in deliberations over the establishment of a national privacy standard, with Congress reviewing the CCPA as part of that process.
While the details of the CCPA will develop further, it remains important to be prepared for compliance with all aspects of the CCPA as January 1, 2020 quickly approaches. All businesses remain obligated to protect any breach of personal information and have a “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” in order to protect consumers’ personal information.
While no specific guidance has been provided as to what security procedures and practices are required by the CCPA, all businesses have an affirmative obligation to establish security procedures and practices to protect any personal information maintained. Parties that do not comply remain subject to substantial penalties in the event of a violation as further described below.
Penalties and Enforcement
The allowed damages of $100 to $750 may sound reasonable at first, but keep in mind that these amounts are based on each consumer affected by a data breach incident. As an example, if your company maintains personal information for 50,000 consumers and such information is breached, potential penalties range from $5 million to a staggering $37.5 million for that specific incident.
What Should I Do Now?