Companies around the United States have to comply with California privacy laws—because their web or mobile sites are accessible to consumers in California, because they have customers or employees in California or because their enterprise customers have customers or employees in California. Ever since the people of California added a right to privacy to Article 1 of the California Constitution by way of a proposition in 1972, the California legislature has been prolific in enacting and updating privacy laws, many with private rights of action that are enforced by way of class action lawsuits against companies within and outside the Golden State. Today, California leads the nation not only as an innovation hub for information technologies, but also with the most comprehensive, stringent and up-to-date information privacy laws.
To mitigate risks, companies should implement a privacy compliance program (or add California privacy law considerations to an existing program). Companies should also periodically check up on their status with a compliance checklist. Organizations that implement a formal data privacy and security compliance program and put someone in place to maintain and oversee it run a lower risk of missing new developments, suffering from employees’ missteps or making bad business decisions that could invoke liability under data privacy laws. Many companies are specifically required to implement a formal program or benefit from special liability protections under data privacy laws when they do. Regulators and law enforcement are less likely to bring charges for unintentional violations if a company can prove that it used reasonable efforts. Also, companies can better defend against claims if they can show they generally acted diligently and were just unlucky when something went wrong.
