On December 10, 2020, California Attorney General Xavier Becerra (California AG) released a fourth set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations that went into effect on August 14, 2020. These modifications reflect minor changes to the third set of modifications to the regulations (published on October 12, 2020).
What’s New in the Fourth Set of Modifications:
The fourth set of modifications focus on notice obligations for businesses that sell personal information that is collected offline and the re-introduction of a “Do Not Sell My Personal Information” button.
The legal risks associated with cybersecurity continue to increase, as regulators and plaintiffs’ lawyers become more and more aggressive in bringing cybersecurity claims under existing laws and as legislatures continue to enact new ones. A key element of many of the cybersecurity claims brought under these laws is a requirement to show that the company in question failed to implement “reasonable” security for personal information. California’s new Consumer Privacy Act (“CCPA”), for instance, allows consumers to sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA’s pre-suit period. Cal. Civ. Code § 1798.150. Even though consumers often suffer no injury in a data beach, the CCPA provides for statutory damages of $100–$750 per consumer per incident. READ MORE