BY MATTHEW SMITH, LEGAL COUNSEL
On 1 January 2020, the California Consumer Privacy Act (‘CCPA’) came into force. The CCPA will have a significant impact on businesses with even a light Californian footprint, and not just in terms of their compliance and regulatory burdens: there could be serious consequences for individual business owners and officers whose companies breach the CCPA. Those who may be affected should assess their current asset protection strategies, consider whether they are sufficient to protect them in the event of a worst-case breach scenario and look at strengthening them if they are not.
In this article we will look at what the CCPA does, which companies fall within its scope; the consequences for non-compliance; why this should be of concern to those who own and operate businesses both in and outside of the Golden State; and what those persons can do to protect themselves from these consequences.
What is the CCPA and what does it do?
The CCPA allows any consumer living in California to demand to see all the information a company has saved on them, as well as a list of third parties with whom that information has been shared. Californian consumers also have the right to require businesses to delete their personal data and to cease selling it to third parties. When a consumer exercises CCPA rights against a company, the company may not offer a lesser service or impose higher fees as a result.
Obligations for businesses include notifying customers at the point of data collection; creating procedures to allow customers to exercise opt-out, knowledge and deletion rights; responding to customer requests to exercise these rights within specific timeframes; and verifying the identity of consumers who request to exercise these rights. Failure to comply with these obligations will place a company in violation of the CCPA, opening it up to regulatory action and potentially calamitous fines.
In addition, the CCPA creates a private right of action for data breach, if hackers gain access to sensitive consumer data. Businesses that fail to implement reasonable security measures, such as encrypting or redacting consumer information, face the risk of class action lawsuits.
Many companies affected by the CCPA will have some familiarity with what is required of them, as they will also be subject to the European Union General Data Protection Regulation (‘GDPR’) and should have made changes to comply with that legislation. However, there are important differences between the CCPA and the GDPR, and compliance with the latter will not necessarily render a business CCPA-compliant; in many respects, the CCPA goes further and is more onerous.
Which businesses are affected?
Not just Californian businesses. In fact, not just American businesses. The CCPA covers all companies which serve California residents and which either
- have gross annual revenues in excess of USD25m;
- hold personal data on at least 50,000 people; or
- collect more than 50% of their annual revenue from the sale of consumer information.
It is estimated that as many as 500,000 businesses in the USA alone became subject to the CCPA on 1 January, many of them small and medium-sized companies.
What happens to a company that violates the CCPA?
The consequences of a violation can be severe. If a company fails to remedy within 30 days of notification, both the affected consumer and the California Attorney General are entitled to bring a lawsuit against the company. In proceedings brought by the Attorney General, the maximum civil penalty is $2500 for each violation, increasing to $7500 for each intentional violation. It’s easy to see how, for example, a systemic failure by a company with 50,000 customers to allow its customers to exercise opt-out rights could result in a crippling multi-million dollar lawsuit, with a potential maximum fine of $375m in that scenario.
Who should be most worried by the CCPA?
We spoke with Lily Li, founder of Metaverse Law in Irvine, CA (https://www.metaverselaw.com/) which specialises in data protection, privacy and cybersecurity law. Lily believes that the firms most likely to fall foul of the new law are those operating in real estate and hospitality, as they are generally less familiar with cybersecurity rules compared to those in more heavily regulated industries such as healthcare, finance and technology. CPAs and MSPs also face elevated risk because of the sensitivity of the information they collect.
Owners and top-tier officers of all companies should treat the risk of personal liability as heightened, however. Firstly, there is the risk of their being named in their individual capacity in lawsuits brought directly by consumers, even though the CCPA targets businesses. Secondly, Lily explains, there is the risk of the Federal Trade Commission attaching personal liability to a company officer for a major data breach or privacy violation. By way of example, following an investigation into privacy violations by social network TikTok, FTC commissioners released the following joint statement on 27 February 2019:
When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.
Furthermore, according to Lily, the CCPA is the tip of the iceberg, with equivalent state-specific laws either enacted or in the pipeline in at least 20 other states including Washington, Nevada, New York, Massachusetts and Maryland.
What protection is available?
The best protection is prevention. Affected businesses should obtain appropriate legal advice and take all steps to ensure they are fully compliant not just with the CCPA, but with equivalent laws in other states as they are enacted. For company owners and officers worried their personal assets might be wiped out if they are found to be liable for privacy and cybersecurity violations by their companies, a Cook Islands asset protection trust can provide valuable peace of mind. Under Cook Islands trust laws, any assets placed into a trust before the grounds for a creditor claim have crystallised are protected and cannot be made available to courts or creditors.
For more information on setting up an asset protection trust in the Cook Islands, please contact email@example.com or call us on 1-800-361-5120.