- Emergency Consultation Services
- FMG BlogLine
- Who We Are
- Our People
- What We Do
- Why We Are Different
- What’s New
- Where We Are
By: Kacie Manisco
California has passed a sweeping data privacy law that will result in dramatic changes to how businesses in the state handle consumer data. AB 375, which will take effect on January 1, 2020, grants consumers more control over and insight into the dissemination of personal information, but imposes significant obligations on certain businesses in order to achieve those goals.
The law will apply to any California business that: (1) has an annual gross revenue over $25 million; or (2) alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling consumers’ personal information.
The new legislation is similar in nature to the European Union’s General Data Protection Regulation (GDPR) and is intended to provide residents of California the most comprehensive consumer privacy rights in the country. To that end, AB 375 requires covered businesses to give California residents:
Additionally, one of the most significant aspects of the law creates a private right of action for any consumer for data breaches, without the requirement that the consumer prove injury before being awarded damages. The law provides, “any consumer whose nonencrypted or nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may be subject to a civil lawsuit. A consumer would be entitled to recover actual damages or statutory damages of between $100 and $750 per consumer per incident (whichever is greater), plus injunctive or declaratory or other relief.
While AB 375 does not take effect until 2020, California businesses should begin the process of reviewing these new complex requirements and evaluating the applicability of the regulations to its operations. Specifically, businesses should begin to assess the types and scope of data it currently collects (and has collected and stored in the past) that may be covered by the law. Moreover, organizations should minimize their exposure in handling personal data, keeping only the data directly necessary for business and legal needs.
If you have any questions or would like more information, please contact Kacie Manisco at [email protected].