States expand data liability for employers

A privacy law taking effect in California Jan. 1 is one of five such laws scheduled to take effect in various states next year that will tighten regulation of online data.

More states are expected to pass similar legislation, in addition to the laws already approved in California, which will have the most stringent rules; Colorado; Connecticut; Utah; and Virginia, as the issue of consumer privacy garners more attention. 

The California Privacy Rights Act, which was approved by voters in a 2020 ballot measure, amends the California Consumer Privacy Act, which took effect Jan. 1, 2020.   

Like the earlier act, which was influenced by the European Union’s 2018 General Data Protection Regulation, the new law grants consumers a private right of action if there is a data breach. 

But it expands on the earlier law by including protections for employees, job applicants and independent contractors. 

The law also eliminates a 30-day period permitting companies to “cure” violations before government enforcement actions are taken.  

The California Privacy Protection Agency, which was created by the 2020 law, will enforce the new law. The California attorney general still retains enforcement powers, too.

The law applies to organizations with at least $25 million in annual gross revenue, those that deal in the personal data or information of 100,000 or more California residents, or those that derive at least 50% of their annual revenue from selling consumers’ personal information.  

Enforcement of its provisions is slated to begin July 1, but experts warn companies may still be found liable for failure to comply with its requirements after its Jan. 1 implementation date. 

The measure in California is “a bit closer to what we see in Europe with the GDPR,” said Jenny L. Holmes, counsel with Nixon Peabody in Rochester, New York. 

Companies should analyze the personal information they have collected and update or adopt policies and procedures to comply with the law, said Brian McGinnis, a partner with Barnes & Thornburg LLP in Indianapolis. 

“It is highly likely, if not certain that even companies that have done a lot of work with the CCPA still have work to do,” said Odia Kagan, a partner with Fox & Rothschild LLP in Philadelphia. 

Sean P. Nalty, a shareholder with Ogletree, Deakins, Nash, Smoak & Stewart P.C. in San Francisco, said employers may face more legal issues because of the new law’s applicability to employees, “particularly if disgruntled employees were to try to use the law” to frustrate their employers. 

“But if you put a good procedure in place and train your people appropriately, by and large it will be something that employers will be able to comply with,” he said. 

Experts predict there will be more enforcement than under the earlier law because that function will be led by a dedicated agency.   

Initially, enforcement will likely focus on data brokers that collect large amounts of information and use it for commercial purposes before expanding to egregious violations by other organizations and those “who do nothing at all or window dressing,” said Philip L. Gordon, a shareholder with Littler Mendelson P.C. in Denver.   

Experts predict additional states will adopt similar laws, although they will not necessarily be as restrictive as California’s.

Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co., said, “It’s hard to say if others will go as far as California, but certainly, we’ll have some more comprehensive consumer privacy laws” in more states in the near future. 

“Obviously, many U.S. businesses have connections to California, so they have to cope with the California statute, and so, unless the Congress surprises us and there is a national privacy law, California’s will remain the most stringent,” said Jarno Vanto, a partner with King & Spalding LLP in New York. 

Within a few years more states will adopt privacy controls, and even states whose impending laws are now milder than California’s will eventually make theirs more stringent, said Joshua Gold, a shareholder with Anderson Kill P.C. in New York. 

Employers will have coverage available for liabilities that arise under cyber liability insurance policies, experts say.

However, Tamara Snowdon, New York-based senior vice president and cyber coverage leader for Marsh LLC’s U.S. and Canada cyber practice, said that while cyber policies “continue to provide incredible robust coverage” for data breaches and disclosure of sensitive personal information, coverage for privacy issues really depends on clients’ negotiating power and the level of sophistication they can demonstrate. 

Coverage varies, said Deborah Hirschorn, Kansas City, Missouri-based managing director for U.S. cyber and technology errors and omissions claims at Lockton Cos. LLC. “Some (policy) forms are very broad and talk about managing and controlling personal information,” she said. Others’ policy language is stricter. 

Furthermore, “it is yet to be determined” whether fines under privacy laws, including GDPR, are insurable, Ms. Hirschorn said.  



13 thoughts on “States expand data liability for employers

  1. Heya! I just wanted to ask if you ever have any problems with hackers? My last blog (wordpress) was hacked and I ended up losing many months of hard work due to no back up. Do you have any solutions to stop hackers?

  2. Thanks for your blog post. Things i would like to bring about is that computer system memory must be purchased but if your computer still can’t cope with whatever you do along with it. One can add two good old ram boards of 1GB each, by way of example, but not one of 1GB and one with 2GB. One should always check the manufacturer’s documentation for own PC to make certain what type of storage is required.

  3. whoah this blog is great i like reading your posts. Keep up the great work! You realize, a lot of persons are searching around for this information, you can help them greatly.

  4. Great post. I was checking constantly this blog and I’m inspired! Extremely helpful information specifically the ultimate phase 🙂 I handle such info a lot. I used to be looking for this particular information for a long time. Thanks and good luck.

  5. It抯 actually a cool and useful piece of information. I抦 glad that you shared this useful information with us. Please keep us up to date like this. Thanks for sharing.

  6. Thanks for posting. I really enjoyed reading it, especially because it addressed my problem. It helped me a lot and I hope it will help others too.

Leave a Reply

Your email address will not be published. Required fields are marked *