chevron-down Created with Sketch Beta.
November 05, 2018 Practice Points

How Will California Cybersecurity Laws Affect U.S. Business?

Attorneys who represent companies that reach customers who reside in the Golden State ought to become familiar with what is happening there.

By Nancy A. Del Pizzo

The State of California has taken a leadership role toward cybersecurity and protecting its residents’ personal information in particular. Attorneys who represent companies that reach customers who reside in California ought to become familiar with what is happening in that state. Take a closer look at your clients’ sales territories and websites and how and who they collect data from if you think this does not affect them.

New laws that could affect businesses throughout the United States, including California’s regulation for Internet-of-things (IoT) devices. Specifically, on September 28, 2018, California Governor Jerry Brown signed into law Senate Bill No. 327 and its cohort, Assembly Bill No. 1906, which requires that beginning on January 1, 2020, all manufacturers of a “connected device” must equip that device with a “reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

A “connected device” is defined as “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address of Bluetooth address.” That means anyone making Internet-connected devices and selling or offering them for sale in California is covered under this law.

Another law passed in California on June 28, 2018, is likely to affect your clients whose websites collect data from California residents regardless of whether the client has a brick-and-mortar location in the State of California. That law, the California Consumer Privacy Act of 2018 (CCPA), largely parallels the General Data Protection Regulation (GDPR), which became effective this year and affects companies that collect data of individuals in the European Union.

Like California’s new IoT law, the CCPA becomes operative January 1, 2020. Specific provisions include that consumers may demand that a business disclose the personal information it collects on that consumer, the categories of sources for that information, its business purposes for collecting the information or selling it and who it shares it with. To comply with the CCPA, businesses will need to understand the details of the data they collect, how they collect and where they store it.

On September 23, 2018, Gov. Jerry Brown of California signed amendments to the CCPA into law. The amendments provide that the attorney general cannot bring an enforcement action until six months after it publishes final regulations or July 1, 2020, whichever is sooner. The attorney general has until July 1, 2020, to publish those regulations. Notably, the recent amendments also provide a private right of action for data breach incidents.

Attorneys who counsel businesses with nationwide reach are better prepared when fueled with knowledge of privacy laws coming from those legislators leading on this issue.

Nancy A. Del Pizzo is a partner at Rivkin Radler LLP in New York City, New York. She is also cochair of the Section of Litigation Intellectual Property committee’s Internet and Privacy Subcommittee.

Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).