Sweeping New California Data Privacy Law Takes Effect
On January 1, 2020, the landmark California Consumer Protection Act ("CCPA") took effect. The CCPA imposes specific rules regarding how certain for-profit companies doing business in California collect, store, and use California consumers’ personal information. Under the CCPA, such companies must implement reasonable security procedures to safeguard the personal information they collect and must allow California consumers to opt out of the sale of their personal information to third parties. Companies must further allow consumers access to any personal information the company has collected about them and, if the consumer so requests, must delete any such personal information. For more information about the obligations imposed by the CCPA, see here and here.
Beyond these ambitious new protections, the CCPA is unique in how it is enforced. Unlike other data privacy laws, the CCPA expressly provides a private cause of action. Where a company fails to implement and maintain reasonable security procedures and, as a result, a California consumer's nonencrypted or nonredacted personal information is accessed or disclosed without authorization, the CCPA allows that consumer to bring a civil action against the company. Consumers may recover statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever are greater, and also may sue as a class.
The CCPA also provides for a more traditional method of enforcement. The California Attorney General may bring actions to enforce the provisions of the CCPA and may seek penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation. The California Attorney General may not bring such enforcement actions until July 1, 2020, however.
Insurers should be aware that they may see claims arising out of CCPA violations in the near future, and that insureds may seek coverage under a number of policies, including cybersecurity and data privacy policies. Insurers also should be aware that these claims may be substantial. Given the amount the CCPA makes available as damages per consumer per incident, a class action arising from a major data breach could yield a significant award. The same is true of an enforcement action brought by the California Attorney General where a number of consumers are affected by a business practice or event.