This article first appeared on Thomson Reuters Regulatory Intelligence.
The summer of 2018 may be regarded as a pivotal time in the history of data privacy laws. The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018, the California Consumer Privacy Act (CCPA) was signed into law in June 2018 (and comes into effect on January 1, 2020), and a draft of India’s Personal Data Protection Bill (India DP Bill) was released in July 2018 (and is now under review by India’s government).
These developments, and more generally, the recent proliferation of data privacy laws around the world (notably, in Australia, China, Brazil, Hong Kong, and Singapore) represent a compliance challenge for many multinational organizations.
*This article was first published by Bloomberg Law in August 2019
Companies doing business with California consumers are impacted by the California Consumer Privacy Act (effective Jan. 1, 2020). The CCPA’s private right of action provision gives California residents the right to sue companies when their personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a company’s failure “to implement and maintain reasonable security procedures and practices.”
Under this provision, consumers may seek actual damages, declaratory or injunctive relief, and statutory damages, which begin at $100 and continue up to $750 “per consumer per incident.” The potential aggregated exposure through consumer class actions could be significant, and companies are searching for ways to mitigate private lawsuits.
With less than three months to go before amendments to California’s far reaching data privacy law need to be signed into law, the CCPA landscape may be changing yet again, as several amendments debated in the state Senate Judiciary Committee on July 9th underwent significant modifications. Eight proposed CCPA amendments were on the committee’s agenda, and several were hotly debated in an hours-long session that extended late into the night. In the end, two of the bills had substantive modifications, another was stalled, one was defeated, and the rest made it out of the committee, with limited changes. Here we summarize the highlights.
When California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law on June 28, 2018, there was broad agreement that revisions and clarifications were necessary. The CCPA was written and enacted with extraordinary speed, as legislators felt the need to move quickly in order to preempt a data privacy ballot initiative that had received enough signatures to be placed on California’s November ballot. Consequently, June 28 was, in many ways, the beginning of a debate over the specifics of the CCPA, rather than the end. Indeed, the California legislature has already passed a “clean-up” bill to address concerns expressed about the CCPA, and heated debates over the meaning and merits of specific provisions continue. (more…)
With the midterm election out of the way, legislators on Capitol Hill and in state capitols are getting ready to consider the future of data privacy regulation in 2019 and consumer and industry groups continue to weigh in on the ongoing debate. The debate has begun to move from principles and frameworks to drafting of legislative language.
On Friday, August 31, the California legislature unanimously passed a host of “clean-up” amendments to the new California Consumer Privacy Act (CCPA), AB 375, as it set about addressing flaws and other concerns in the state’s groundbreaking data privacy law. These amendments are now awaiting Governor Brown’s signature. (more…)