You could almost hear the cheers of plaintiffs’ class action lawyers in California last night, as California’s governor signed the most sweeping privacy law this country has seen to date.  Notably, the law gives consumers the right to statutory damages in the event of a breach if the company holding the consumer’s information failed to implement reasonable security measures.  Those statutory damages are not less than $100 and not more than $750 “per consumer per incident or actual damages, whichever is greater.”

It is clear that the General Data Protection Regulation from Europe inspired many of this law’s other provisions, such as required transparency in how entities collect and share data and the right of individuals to have their personal information deleted.

The new law does not take effect until January 2020, giving organizations time to digest the requirements and providing legislators with the opportunity to refine the hastily drafted language. Corporations and legislators threw the bill together at the last minute to avoid a ballot measure that would have contained even more onerous fines, requirements and protections.  The Privacy and Cybersecurity Group will continue to keep a close watch to see if other states follow California’s lead in expanding individuals’ data protection rights.