Beginning Jan. 1, certain companies doing business in California had to comply with what is now the nation’s strictest data privacy law: the California Consumer Privacy Act. The CCPA is an extraordinary piece of legislation regulating the processing of personal data of California residents.
If a business processes personal data of Californians and meets certain threshold requirements, the business will be subject to the new law and its potential penalties for non-compliance. Unintentional violations of the CCPA can result in a fine of $2,500 per person affected; a company’s misuse of 100 clients’ personal data would be a stiff civil fine of $250,000. On top of civil fines, the CCPA provides a private right of action for those affected by certain data breaches.
The CCPA is certainly the most onerous data privacy law in the country and might become the benchmark for the future of U.S. data privacy regulation. U.S. data privacy laws have traditionally applied only to certain industries, such as financial and educational institutions or health care providers. In the wake of multiple public personal data privacy scandals and Europe’s adoption of its sweeping General Data Protection Regulation, the United States is rethinking how to regulate the processing of personal data.
Members of Congress disagree whether a federal law should preempt stricter state laws or simply serve as the baseline requirement. In the meantime, a variety of data privacy bills have appeared in New York, Illinois, Maryland, Pennsylvania and several other states. While Indiana has not yet taken steps toward its own data privacy law, Indiana businesses will soon have to comply with other states’ laws or perhaps a new, all-encompassing federal law; it’s in their best interest to start the process now.
Data privacy laws might differ across industries, states and countries, but the first step to compliance is generally the same: You must understand your company’s “data ecosystem”—how your company collects, uses and shares personal data, and for how long is it kept.
This is typically achieved by taking inventory of all personal data your company collects or stores and mapping how that personal data travels within your organization and to outside third parties. Once completed, you can identify which personal data elements might be affected by data privacy laws and begin developing internal standards, policies and procedures to meet your company’s compliance obligations.
Forward-thinking Indiana businesses would do well to start tracking their personal data like they do their dollars. In our mergers and acquisitions practice, we are seeing acquiring companies increasing the due diligence on target companies’ data privacy practices. As data becomes more and more important to the national and global economy, Indiana businesses would do well to start understanding their data ecosystems today.•
Wilson is a member of the mergers and acquisitions practice group at Densborn Blachly LLP.