Part of the Privacy Series
The Big Picture
Europe has blazed the way forward with the consumer-focused GDPR. While the U.S. has lagged a bit, California is leading the way for U.S. adoption of similar privacy laws. A number of other U.S. states have new privacy legislation in process or on the docket. Make sure your company is prepared to respond and adapt.
California’s One-Two Punch
It began with “CCPA,” the 2019 California Consumer Protection Act that introduced the new rules and standards for companies selling to California consumers. Now, part 2, the “CPRA,” or California Privacy Rights Act, which amends and complements parts of CCPA and provides the teeth to help enforce the law – and issue fines for companies that do not handle consumer (and employee) data correctly, is set to take effect January or 2023.
So What?
How about this? Agency fines can be up to $7,500 per instance if it is found personal information has been intentionally breached (mishandled), and many companies directly or indirectly (as contractors) to companies touching Californians will be subject to wide-ranging, disruptive and expensive regulatory audits. So, if you have a 50,000 California person database and you have no compliance and flagrant use of personal information as defined by the Act, that’s a potential claim of a whopping $375 million claim before settlement talks. Californians are also permitted to file direct claims. Nevada and other states are not far behind!
Timing
January 2023 could start an avalanche of claims and possible class action litigation coming from California and ambitious litigators from other states – it could be a lot like what started in 2018 and 2019 when the EU’s GDPR data privacy law went into effect and giants were scrutinized by a central agency and later by individual countries. In Europe, Amazon was fined and settled for $824M, What’s App settled for $247M, multiple Google entities, including Google LLC and Google Ireland, settled for €90M and €60M respectively, and Facebook settled for $66M with multiple claims still in progress. Five years later, the EU and member states are still collecting. And, smaller companies are not immune.
What can I do?
We recommend building awareness and putting in place a company compliance plan, internal and external policies, and proper contracts with your customers and suppliers. Triumph Law is ready to help you right away: Triumph’s Technology Transactions Group (TTG) attorneys have deep experience and capability in preventative data privacy law compliance, privacy policy development, and related contracts law drafting & negotiation support. Don’t wait to take action: even small companies need to be ready.
About the author: Elizabeth Tasker is a technology transactions and commercial attorney in the TTG group at Triumph with extensive in-house experience in preventative law. She is an expert in solving businesses legal problems and all things technology contracting, including Data Privacy and Data Security, SaaS, PaaS, content licensing, software development, outsourcing, marketing, real estate, M&A and corporate governance. Elizabeth’s career has spanned helping innovative start-ups to corporate giants. Elizabeth also acts as outside General Counsel for the US subsidiary of a large offshore IT software development multinational.
Comments