January 6, 2020

California Privacy Law Will Affect Employers Across The United States

As Connecting the Dots explained last month, a new law that went into effect on January 1, 2020 will impact employers and manufacturers across the entire United States. The Associated Press noted, most U.S. employers “need to be aware of the law’s complex requirements even if they don’t deal directly with consumers.”

That is because the new law “covers companies that conduct business in California, including out-of-state companies that sell products or merchandise to California residents. The law can also cover companies that make money from providing services like payment processing or website hosting to businesses that are subject to the law.”

What is this new statute? In September 2018, then-California Gov. Jerry Brown (D) signed a consumer privacy measure that allows consumers to seek statutory or actual damages if their sensitive personal information is subject to unauthorized access, theft or disclosure as a result of a business’s failure to implement and maintain required reasonable security measures. This new statute, the California Consumer Privacy Act, is one of the most stringent privacy laws in the United States. Businesses that meet specific criteria and collect personal information about California consumers are covered by the law.

The National Association of Wholesalers has shared a legal brief outlining companies’ responsibilities. The NAW brief explains the law will apply to a business and its subsidiaries if it collects or receives personal information from California residents, directly or indirectly, and meets one or more of the following criteria:

  • The business has annual gross revenue that exceeds $25 million;
  • The business annually receives, buys, sells or shares, directly or indirectly, the personal information of 50,000 or more California residents, devices or households; or
  • Fifty percent or more of its annual revenue is derived from the sale of personal information about California consumers.

The law defines “personal information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

The law allows for fines of up to $2,500 per violation or $7,500 per intentional violation. There is no cap on the total amount of fines. Businesses have a period of 30 days to remedy alleged violations of the law before a fine can actually be assessed.

Click here for more information and to read NAW’s full summary.

Stay tuned to Connecting the Dots for more information as companies, and the state, implement this new statute. As a next step, by July 1, 2020, the state attorney general must finalize regulations outlining exactly what companies must do to stay in compliance with the law. And, according to Axios, voters in California also could be asked to decide in the November 2020 election whether to expand consumer privacy rights.