Most companies hope to maximize profits and minimize risk; in fact, cost-benefit analyses are deployed almost daily for most managerial and operational decisions, so there is a strong possibility that your organization has shifted its attention from data privacy to “more urgent” matters. After all, you probably believe you do not collect personal information.
Companies often have an abstract idea of what “Personal Information” is. Years of experience suggest that the only Personal Information worth protecting is high-value information. This includes credit card numbers, social security numbers, and personal banking information. This has been the case for most of the digital age.
However, under the newly enacted California Consumer Privacy Act (CCPA), Personal Information includes but is not limited to:
- unique personal identifiers,
- IP addresses,
- email addresses,
- driver’s license numbers,
- social security numbers,
- passport numbers,
- signatures, and
- telephone numbers.
What to Do Next
The first step in identifying whether such data is collected by your company is to ask. You should have general discussions with departments and teams, as well as their respective leads. Also consider drafting general data questionnaires for individuals who have a strong familiarity with your company’s data storage systems and practices. This should include (at least) members of the IT department, human resources, and marketing and business development. Ultimately, you may be surprised to find that even if most of your organization does not handle data, some departments do collect Personal Information as defined by the CCPA.
If you find that your organization does collect Personal Information, you should quickly become familiar with the location of that data and discuss your obligations with counsel. If you are required to comply with the CCPA and you fail to do so, you could become subject to fines of $2,500 per violation, per consumer. Under CCPA, a single data breach incident affecting 100 California citizens could result in a fine of $250,000. This is especially troubling because many insurance policies may exclude protections for liability incurred due to violations of data protection laws or data breaches.
Employers with questions regarding data privacy, cybersecurity or other business matters should contact a Kerr Russell attorney.
Nezar G. Habhab has a broad transactional practice handling matters related to leasing and purchasing, mergers and acquisitions, entity formation, commercial contracts, as well as data privacy. He works as part of firm’s Data Privacy and Cybersecurity team to draft and review company policies, facilitate cross-border data transfer arrangements, and counsel clients on the risks associated with the control and processing of data around the globe. Additionally, Nezar is experienced in drafting and negotiating a variety of artist, influencer, branding, and licensing agreements in the experiential and marketing space for both SAG-AFTRA and non-SAG talent.
Other posts to consider: