You’ve taken all the steps – shut down EU operations, turned off German language translation, and ceased taking Euros. You canned the entire PR department in Dublin and moved your cloud storage from Charleroi to Sheboygan. You’ve even put up a giant American flag on the website. And just when you thought it was safe to exploit your customers’ data without their knowledge or explicit consent, here comes California, with a proposed new law that is basically a mini-GDPR for the US.
Kidding aside, get ready for the Next Big Thing (as if you needed more excitement). The proposal is called the California Consumer Privacy Act (CCPA). The background is fascinating – a real estate mega-developer, a former BlackRock managing director, and a CIA analyst – crafted a law to give data subjects greater control over personal data and restrict transfers to third parties. The law would not be as robust as GDPR, but it does mandate that data subjects have:
- The right to know what data is collected;
- The right know if their data is sold;
- The right to block the sale of their data to third parties; and
- A private cause of action with statutory damages for either a failure to abide by the notice and consent provisions or a data breach, if the breach could have been prevented by “reasonable security procedures and practices.”
There are also a number of important sections dealing with state regulation, whistleblowers, and the ability of the legislature to amend the act, and while those are secondary to our purposes today, they are very important.
That damages provision is, however, the most concerning for businesses. Statutory damages are a vehicle that allow for plaintiffs to recover damages, even if they weren’t actually harmed by the subject of the lawsuit. So, every consumer who has had their personal information improperly sold, transferred, or hacked is entitled to statutory damages of $1,000 or their actual injury, whichever is higher. If the company acted willfully, the baseline statutory damages jump to $3,000. So you know all of those breach lawsuits where data was accessed but there was apparently no harm done, so the plaintiffs get free credit monitoring and an apology? Those are now potentially multi-billion dollar lawsuits (provided, of course, that the victims are California residents). For context, even a small breach, like the one that hit 1,000 California realtors last year, would come with a minimum statutory penalty of over a million dollars. In other words, there is a massive amount of liability looming.
The CCPA is not yet a law, it’s not even a bill — it’s a proposed referendum (a proposition) that has to be approved for the ballot. The process to get it on the ballot and before voters has been very interesting. Google, Facebook, Apple, AT&T and Verizon all contributed $200,000 to form a PAC called “The Committee to Protect California Jobs” to fight CCPA, but Facebook recently dropped its opposition because, you know, it’s got some other stuff going on right now.
If your business isn’t in California, you may wonder how this can have an effect on you. Federal law or federal regulations have nationwide effect, but how can California voters institute laws that will change how businesses in other states operate? The answer is: quite easily. For instance, have you ever seen a label that says “This product contains chemicals known to the State of California to cause cancer?” That was a proposition too – Proposition 65.
What does this mean for you? If you don’t sell products or services in California, and your products or services will never make their way to California, and you’ll never get personal data from a Californian, then, good news: you’re potentially not affected. But a) the stream of commerce in this country doesn’t work that way, b) CalExit isn’t happening any time soon, and c) most companies would not like to shut themselves out of the 6th largest economy in the world. You’d be better off refusing to sell in France or Italy than avoiding California.
But if your strategy is to run from jurisdictions where data security standards are rising, you’ll soon find that there are few places to turn. Although it is still, in our view, unlikely that the US will pass a nationwide, GDPR-style law in the near future, states like California have consistently been at the forefront of data security legislation. California is the reason why American companies started putting privacy policies online in the first place. There can be short-term differences in the law, but the trends towards data subject control and accountability are not going anywhere.
The best strategy, then, is to create a data security and data management plan that fits your company, but that looks beyond the short term. The lesson of the GDPR is that immediate solutions are not always the best, and that compliance is about much more than merely checking a box (and the box had better not be pre-ticked). By establishing a data strategy that anticipates trends — such as transparency, security, and consistency, perhaps — changes in the law like the CCPA will not have such a convulsive effect, and you don’t have to be so nervous about the next big thing.