States expand data liability for employers

A privacy law taking effect in California Jan. 1 is one of five such laws scheduled to take effect in various states next year that will tighten regulation of online data.

More states are expected to pass similar legislation, in addition to the laws already approved in California, which will have the most stringent rules; Colorado; Connecticut; Utah; and Virginia, as the issue of consumer privacy garners more attention. 

The California Privacy Rights Act, which was approved by voters in a 2020 ballot measure, amends the California Consumer Privacy Act, which took effect Jan. 1, 2020.   

Like the earlier act, which was influenced by the European Union’s 2018 General Data Protection Regulation, the new law grants consumers a private right of action if there is a data breach. 

But it expands on the earlier law by including protections for employees, job applicants and independent contractors. 

The law also eliminates a 30-day period permitting companies to “cure” violations before government enforcement actions are taken.  

The California Privacy Protection Agency, which was created by the 2020 law, will enforce the new law. The California attorney general still retains enforcement powers, too.

The law applies to organizations with at least $25 million in annual gross revenue, those that deal in the personal data or information of 100,000 or more California residents, or those that derive at least 50% of their annual revenue from selling consumers’ personal information.  

Enforcement of its provisions is slated to begin July 1, but experts warn companies may still be found liable for failure to comply with its requirements after its Jan. 1 implementation date. 

The measure in California is “a bit closer to what we see in Europe with the GDPR,” said Jenny L. Holmes, counsel with Nixon Peabody in Rochester, New York. 

Companies should analyze the personal information they have collected and update or adopt policies and procedures to comply with the law, said Brian McGinnis, a partner with Barnes & Thornburg LLP in Indianapolis. 

“It is highly likely, if not certain that even companies that have done a lot of work with the CCPA still have work to do,” said Odia Kagan, a partner with Fox & Rothschild LLP in Philadelphia. 

Sean P. Nalty, a shareholder with Ogletree, Deakins, Nash, Smoak & Stewart P.C. in San Francisco, said employers may face more legal issues because of the new law’s applicability to employees, “particularly if disgruntled employees were to try to use the law” to frustrate their employers. 

“But if you put a good procedure in place and train your people appropriately, by and large it will be something that employers will be able to comply with,” he said. 

Experts predict there will be more enforcement than under the earlier law because that function will be led by a dedicated agency.   

Initially, enforcement will likely focus on data brokers that collect large amounts of information and use it for commercial purposes before expanding to egregious violations by other organizations and those “who do nothing at all or window dressing,” said Philip L. Gordon, a shareholder with Littler Mendelson P.C. in Denver.   

Experts predict additional states will adopt similar laws, although they will not necessarily be as restrictive as California’s.

Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co., said, “It’s hard to say if others will go as far as California, but certainly, we’ll have some more comprehensive consumer privacy laws” in more states in the near future. 

“Obviously, many U.S. businesses have connections to California, so they have to cope with the California statute, and so, unless the Congress surprises us and there is a national privacy law, California’s will remain the most stringent,” said Jarno Vanto, a partner with King & Spalding LLP in New York. 

Within a few years more states will adopt privacy controls, and even states whose impending laws are now milder than California’s will eventually make theirs more stringent, said Joshua Gold, a shareholder with Anderson Kill P.C. in New York. 

Employers will have coverage available for liabilities that arise under cyber liability insurance policies, experts say.

However, Tamara Snowdon, New York-based senior vice president and cyber coverage leader for Marsh LLC’s U.S. and Canada cyber practice, said that while cyber policies “continue to provide incredible robust coverage” for data breaches and disclosure of sensitive personal information, coverage for privacy issues really depends on clients’ negotiating power and the level of sophistication they can demonstrate. 

Coverage varies, said Deborah Hirschorn, Kansas City, Missouri-based managing director for U.S. cyber and technology errors and omissions claims at Lockton Cos. LLC. “Some (policy) forms are very broad and talk about managing and controlling personal information,” she said. Others’ policy language is stricter. 

Furthermore, “it is yet to be determined” whether fines under privacy laws, including GDPR, are insurable, Ms. Hirschorn said.