Over the last decade, stories of large data breaches, ransomware attacks, and identity theft have moved from isolated incidents to almost daily headlines. It is almost impossible to read a news thread or open a newspaper without seeing something related to cybersecurity or a data breach
In early 2018, news about the Facebook/Cambridge Analytica scandal broke. The general public became aware of the larger problem that many in the privacy profession were already attempting to address – the misuse of personal data by those who obtained it lawfully.
The GDPR took effect in May 2018. And California was already moving toward adoption of the CCPA, which occurred in late June of the same year. But a host of other countries and states have either proposed, adopted, enacted, or at least considered similar laws focused on individuals’ rights to control the disclosure and use of their personal information. For example, while the GDPR and the CCPA have been the primary focus of most commentary, every state in the U.S. has some sort of incident-response statute. Many states (Connecticut, Florida, Illinois, Maine, New Hampshire, New York, Oregon, Virginia, and Washington, to name a few) have privacy-related bills pending or have recently enacted legislation that will impact companies throughout the U.S. in the next 12 months. Further, the U.S. Congress is considering bills to provide data-privacy protection at the federal level.
Criticall, though, while these laws and regulations may focus on a specific jurisdiction, your organization could still be required to comply, regardless of your location. The CCPA provides a clear example.
A business located outside of California may still be subject to the CCPA if the business:
- “does business” in California (defined broadly),
- collects personal information on California residents (both “personal information” and “resident” are defined broadly),
- determines how and why that information is used, and
- meets one of three minimum threshold requirements.
A business located in Michigan may need to comply with the CCPA if it sells to California consumers, retains its customers’ address information for future correspondence, and has annual gross revenues in excess of $25MM.
While it may be tempting to take a wait-and-see approach, the penalties for non-compliance can be significant. A statutory violation of the CCPA can reach up to $7,500 per violation (read: per user) for an intentional violation. Fines under the GDPR have already been levied in excess of €400,000,000. And in 2019, the FTC issued a $5 Billion fine (its largest ever) against Facebook for what it termed “deceptive” privacy practices. Just as critically, a violation of privacy laws carries with it a substantial loss of goodwill with consumers.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties
Other posts to consider: