A tidal wave is coming, but not from the Gulf of Mexico. A new California law will soon wash over businesses throughout the country, including many in Louisiana. The California Consumer Privacy Act (CCPA), the most consequential privacy legislation the U.S. has seen, goes into effect in less than 75 days. Why should you care? Because it could significantly impact many Louisiana businesses.
The CCPA creates expansive new consumer rights for California residents, including the right to demand that company-held personal data be shared with them or deleted. A business has 45 days to respond to a CCPA “data subject request” or face an enforcement action and possible fines levied by California’s attorney general. The law also grants consumers the right to seek statutory damages for certain types of data breaches. Many predict that this new private right of action will stimulate a lawsuit deluge.
The CCPA applies to any for-profit business that handles “personal information” of California residents, B2C contacts, or has California-based employees, and that meets one of the following thresholds: (a) has annual gross revenues of more than $25 million; (b) receives or shares the personal information of at least 50,000 consumers, devices, or “households” (an undefined term); or (c) derives 50% or more of its annual revenue from consumer data sales. While the first trigger would exclude many small and mid-sized businesses, a Louisiana company could meet the second threshold if its website attracts only 140 California-based unique visitors per day.
Meanwhile, every emerging company may find that the CCPA applies if its business depends on web commerce. Also, companies that are third-party vendors to California-based businesses will be receiving requests from those customers that do business in California to show that their processing of personal information does not undermine the customers’ CCPA compliance.
For now, any Louisiana company whose business (including web commerce) touches California consumers should take time to determine whether the CCPA affects it—and how to comply as the January 1, 2020, effective date rapidly approaches. Compliance steps include updating (or creating) privacy policies, preparing a protocol for responding to data subject requests (including becoming familiar with exceptions based on statutory exclusions), and identifying service providers to assess their compliance. If you determine that California consumer data is being sold, shared, or transferred (under the statute’s broad statutory definition of that term), your business is in the crosshairs.
A final reason Louisiana companies should take notice is that the CCPA is likely a harbinger of things to come, as several states’ legislatures are considering similar consumer privacy measures. On the federal level, privacy legislation is a regular topic of discussion, and many think it will be modeled on California’s law. So even if your business manages to avoid this tidal wave from the West, the next one may deliver a soaking.
ABOUT THE AUTHOR: Andy Lee is a partner at Jones Walker and serves as the co-chair of the firm’s data privacy and security team. He regularly advises clients regarding data privacy and cybersecurity, records retention policies, electronic discovery, and related issues. He helps develop, implement and enforce policies and procedures to ensure defensible, repeatable and efficient processes and programs to safeguard the security of sensitive corporate data and to speed recovery after cyber intrusions. He also represents parties in litigation involving privacy and cybersecurity as well as in other commercial disputes at the trial and appellate levels.