Dear Clients, Colleagues, and Friends,
On January 1, 2020, the California Consumer Privacy Act (‘CCPA’) came into force. The CCPA will have a significant impact on businesses with even a light Californian footprint, and not just in terms of their compliance and regulatory burdens: there could be serious consequences for individual business owners and officers whose companies breach the CCPA. Those who may be affected should assess their current asset protection strategies, consider whether they are sufficient to protect them in the event of a worst-case breach scenario and look at strengthening them if they are not.
What is the CCPA and What Does it do?
The CCPA allows any consumer living in California to demand to see all the information a company has saved on them, as well as a list of third parties with whom that information has been shared. Consumers have the right to require businesses to delete their personal data and to cease selling it to third parties.
Businesses must notify customers at the point of data collection; creating procedures to allow customers to opt-out, share knowledge and deletion rights; respond to customer requests to exercise these rights with specific time frames; and verify the identity of those requesting to exercise these rights. Failure to comply will place a company in violation of the CCPA, opening it up to regulatory action and potentially calamitous fines.
Businesses that fail to implement reasonable security measures, such as encrypting or redacting consumer information, face the risk of class action lawsuits.
There are important differences between the CCPA and the GDPR (European Union General Data Protection Regulation), and compliance with the latter will not necessarily render a business CCPA-compliant; in many respects, the CCPA goes further and is more onerous.
Which Businesses are Affected?
The CCPA covers all companies which serve California residents and which either:
- Have gross annual revenues in excess of USD25m;
- Hold personal data on at least 50,000 people; or
- Collect more than 50% of their annual revenue from the sale of consumer information.
It is estimated that as many as 500,000 businesses in the USA alone became subject to the CCPA on January 1; many small and medium-sized companies.
What Happens to a Company That Violates the CCPA?
The consequences of a violation can be severe. If a company fails to remedy within 30 days of notification, both the affected consumer and the California Attorney General are entitled to bring a lawsuit against the company.
Who Should be Most Worried by the CCPA?
Lily Li, founder of Metaverse Law in Irvine, CA, specializes in data protection, privacy and cyber security law believes that the firms most likely to run afoul of the new law are those operating in real estate and hospitality, as they are generally less familiar with cyber security rules compared to those in more heavily regulated industries.
Owners and top-tier officers of all companies should treat the risk of personal liability as heightened. Firstly, there is the risk of being named in one’s individual capacity in lawsuits brought directly by consumers, even though the CCPA targets businesses. Secondly, as Li explains, there is the risk of the Federal Trade Commission attaching personal liability to a company officer for a major data breach or privacy violation.
Furthermore, according to Li, the CCPA is the tip of the iceberg, with equivalent state-specific laws either enacted or in the pipeline in at least 20 other states including Washington, Nevada, New York, Massachusetts and Maryland.
What Protection is Available?
The best protection is prevention. Affected businesses should obtain legal advice and take steps to ensure they are fully compliant not just with the CCPA, but with equivalent laws in other states as they are enacted. For company owners and officers worried their personal assets might be wiped out if they are found to be liable for privacy and cyber security violations by their companies, a Cook Islands asset protection trust can provide valuable peace of mind. Under Cook Islands trust laws, any assets placed into a trust before the grounds for a creditor claim have crystallized are protected and cannot be made available to courts or creditors. If you live in CA, consider the business creating a Private Retirement Plan with the owner contributing selected assets to the Plan for enhanced protection from creditors and predators.
Thank you, Mathew Smith, legal counsel to www.southpacgroup.com, for sharing this timely and urgent article.
Jeffrey M. Verdon, Esq.
Jeffrey M. Verdon Law Group, LLP / www.jmvlaw.com / 949-333-8143