A privacy law that takes effect in California on Jan. 1 is one of five such laws slated to take effect in various states next year that will tighten the regulation of online data.
More states are expected to pass similar legislation, in addition to the laws already passed in California, which will have the strictest rules; Colorado; Connecticut; Utah; and Virginia, as the issue of consumer privacy attracts more attention.
The California Privacy Rights Act, which was approved by voters in a 2020 ballot measure, amends the California Consumer Privacy Act, which took effect on January 1, 2020.
Like the previous law, which was affected by the EU’s 2018 General Data Protection Regulation, the new law gives consumers a private right to speak up if there is a data breach.
But it expands on the previous law by including protections for employees, job seekers and independent contractors.
The law also eliminates a 30-day period that allows companies to “cure”; violations before government enforcement action is taken.
The California Privacy Protection Agency, which was created by the 2020 law, will enforce the new law. The California Attorney General still retains enforcement powers as well.
The law applies to organizations with at least $25 million in annual gross revenue, those that deal in the personal data or information of 100,000 or more California residents, or those that derive at least 50% of their annual revenue from selling consumers’ personal information.
Enforcement of its provisions is scheduled to begin July 1, but experts warn that companies could still be held liable for failure to comply with its requirements after the January 1 implementation date.
The California measure is “a little closer to what we’re seeing in Europe with GDPR,” said Jenny L. Holmes, counsel at Nixon Peabody in Rochester, New York.
Companies should analyze the personal information they’ve collected and update or adopt policies and procedures to comply with the law, said Brian McGinnis, a partner with Barnes & Thornburg LLP in Indianapolis.
“It’s highly likely, if not certain, that even firms that have done a lot of work on the CCPA still have work to do,” said Odia Kagan, a partner with Fox & Rothschild LLP in Philadelphia.
Sean P. Nalty, a shareholder at Ogletree, Deakins, Nash, Smoak & Stewart PC in San Francisco, said employers could face more legal problems because of the new law’s applicability to employees, “especially if disgruntled employees were to try to use the law” to to frustrate their employers.
“But if you put a good procedure in place and train your people appropriately, that’s pretty much going to be something that employers will be able to follow,” he said.
Experts predict there will be more enforcement than under the previous law because that function will be led by a dedicated agency.
Initially, enforcement will likely focus on data brokers who collect large amounts of information and use it for commercial purposes before expanding to serious violations of other organizations and those “who do nothing at all or window-dress,” said Philip L. Gordon, a shareholder with Littler Mendelson PC in Denver.
Experts predict that additional states will pass similar laws, though they won’t necessarily be as restrictive as California’s.
Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co., said, “It’s hard to say whether others will go as far as California, but certainly we will have some more comprehensive consumer protection laws” in more states within a near future.
“Obviously, a lot of American companies have ties to California, so they have to deal with the California statute, and so, unless Congress surprises us and there’s a national privacy law, California’s will remain the strictest,” said Jarno Vanto, a partner with King & Spalding LLP in New York.
Within a few years, more states will adopt privacy controls, and even states whose upcoming laws are now more lenient than California’s will eventually make theirs more stringent, said Joshua Gold, a shareholder at Anderson Kill PC in New York.
Employers will have coverage available for liabilities incurred under cyber liability insurance, experts say.
Tamara Snowdon, New York-based senior vice president and leader of cyber coverage for Marsh LLC’s U.S. and Canadian cyber practice, said, however, that while cyber policies “continue to provide incredibly robust coverage” for data breaches and disclosure of sensitive personal information, coverage for privacy issues really depends on the clients’ bargaining power and the level of sophistication they can demonstrate.
Coverage varies, said Deborah Hirschorn, Kansas City, Missouri-based managing director of America’s Cyber and Technology Errors and Omissions Claims at Lockton Cos. LLC. “Some (policy) forms are very broad and talk about managing and controlling personal information,” she said. Others’ policy language is stricter.
In addition, “it is not yet determined” whether fines under privacy laws, including the GDPR, are insurable, Hirschorn said.