golden gate bridge

By:  T. Paul Markovits, DJCL Web Editor at Widener University Delaware Law School

golden gate bridge

If you counsel businesses regarding their liability to consumers, you have likely heard of California’s Consumer Privacy Act of 2018 (the “CCPA”), in place to take effect on January 1, 2020.  This article provides a brief synopsis of some of the burdens the CCPA places on businesses.

While the most obvious monetary burden placed on businesses that may come to mind is the large penalty fees incurred for noncompliance with the CCPA, the larger and more prevalent burden on businesses is the amount of money that will be spent by businesses in order to ensure compliance with the CCPA.[1]  Most corporations in Delaware and across the globe will likely have to hire new employees and create special departments to answer consumer’s verifiable requests, to respond to data privacy inquiries, and to control opt-out communications.[2]  While the CCPA does not require businesses to have a Data Protections Officer or any other type of employee to manage compliance with the CCPA, “it does mandate that businesses train employees involved in compliance and responding to customer inquiries about the CCPA.”[3]  Furthermore, due to the CCPA requiring businesses to provide an opt-out function on business websites, in addition to a toll-free telephone number, companies will have to employ individuals not only to implement such systems, but also to respond to such communications coming through those channels.[4]  While businesses currently spend between forty to eighty percent of gross revenue on employee salaries and benefits, with salaries comprising eighteen to fifty-two percent of a business’s operating budget, businesses will see their expenses increase and profits decrease due to the obligations businesses are subject to follow under the CCPA.[5]

In addition to the employment costs associated with complying with the CCPA, businesses will have to implement new software programs or find a way to respond to consumers’ requests.[6]  Some businesses that possess consumer information store such information “in proprietary formats or formats that require substantial licensing fees to access,” which “could significantly impact the cost of compliance for businesses” due to the CCPA’s requirement to provide consumers with “a readily useable format” of how their information is being utilized.[7]  While a business may not have a problem providing information to consumers in a usable format if the business is able to charge the consumer for the work, the CCPA explicitly provides that businesses must provide information to consumers upon request, “free of charge.”[8]  As noted above, this is another expense the business will incur with no opportunity of breaking even; the CCPA only puts businesses at a loss.

While businesses may feel the financial impact of the CCPA as they prepare for the CCPA to take effect, businesses will particularly feel the financial impact of the CCPA if they are held liable for violating the CCPA.[9]  The CCPA provides consumers with the ability to institute a civil action against a business that does not “implement and maintain reasonable security procedures and practices,” with the ability “[t]o recover damages in an amount not less than one hundred ($100) and not greater than seven hundred and fifty ($750) per customer per incident or actual damages, whichever is greater.”[10]  For such a violation, consumers may also seek “[i]njunctive or declaratory relief” and “[a]ny other relief the court deems proper.”[11]  For intentional violations of the CCPA, corporations may be held civilly liable for “up to seven thousand five hundred dollar ($7,500) for each violation.”[12]  The potential liabilities businesses face under the CCPA are high and exceedingly burdensome.[13]  To provide an application of the penalties that may be imposed under the CCPA, imagine that a court finds that a business has failed to “maintain reasonable security procedures” in compliance with the CCPA by possessing one unencrypted list of one million names with California residents’ social security numbers.[14]  This business could be held civilly liable for $750 million.[15]  In a class action lawsuit where there is a data breach involving 1.4 million California consumers, a business could be found liable for over one billion dollars.[16]  Not only do businesses carry a high level of responsibility for protecting consumer’s personal information, but they also face potential liability. This liability would be astronomical and, therefore, should put businesses and corporations on alert prior to the CCPA taking effect.[17]

Conclusion

With the CCPA taking effect on January 1, 2020, businesses across the globe, and particularly the large corporations in Delaware who do business with California residents, should take notice of the strict compliance guidelines set forth by the California legislature.[18]  While there may be constitutional challenges businesses may try as a defense if a lawsuit would ensue under the CCPA, if courts do not submit to the unconstitutionality argument, businesses could be held liable for such great amounts as to declare businesses bankrupt.[19]

T. Paul MarkovitsAbout the Author:  T. Paul Markovits is the DJCL Web Editor at Widener University Delaware Law School.  Prior to attending law school, Mr. Markovits started Design Cache, a graphic and website design business that has continued in operation while Markovits attends law school.  During law school, Markovits has had the honor of serving as a judicial extern to the Honorable Mary Pat Thynge, Chief Magistrate Judge for the U.S. District Court for the District of Delaware.  Currently, Markovits works as a law clerk for Halloran Farkas + Kittila LLP where he works on corporate litigation matters.  In his free time, Markovits blogs about law school on his blog, lawschoolstudyguide.com, and also enjoys taking his dog, Missy, for walks.

Footnotes:

[1] See Grant Davis-Denny et al., The California Consumer Privacy Act: 3 Early Questions, Law360, July 02, 2018 (explaining the effects of the California Consumer Privacy Act of 2018 on businesses).

[2] See Id.

[3] Grant Davis-Denny, California’s Consumer Privacy Act Vs. GDPR, Law360, August 01, 2018.

[4] See Cal. Civ. Code § 1798.130 (requiring businesses to create an opt-out function and provide a toll-free telephone number).

[5] See Carol Deeb, Percent of a Business Budget for Salary, Hearst Newspapers, LLC, https://smallbusiness.chron.com.

[6] See Grant Davis-Denny et al., The California Consumer Privacy Act: 3 Early Questions, Law360, July 02, 2018.

[7] Grant Davis-Denny et al., The California Consumer Privacy Act: 3 Early Questions, Law360, July 02, 2018; Cal. Civ. Code § 1798.100.

[8] Cal. Civ. Code § 1798.100.

[9] See 2017 Cal. AB 375 § 2.

[10] Cal. Civ. Code § 1798.150.

[11] Id.

[12] Id.

[13] See Grant Davis-Denny, California’s Consumer Privacy Act Vs. GDPR, Law360, August 01, 2018.

[14] Grant Davis-Denny et al., The California Consumer Privacy Act: 3 Early Questions, Law360, July 02, 2018; Cal. Civ. Code § 1798.150.

[15] Grant Davis-Denny et al., The California Consumer Privacy Act: 3 Early Questions, Law360, July 02, 2018.

[16] See Cal. Civ. Code § 1798.150.

[17] See Grant Davis-Denny, California’s Consumer Privacy Act Vs. GDPR, Law360, August 01, 2018; 2017 Cal. AB 375 § 2.

[18] 2017 Cal. AB 375 § 2.

[19] See Grant Davis-Denny, California’s Consumer Privacy Act Vs. GDPR, Law360, August 01, 2018.