Here are some examples, in some cases demonstrating a
dramatic re-framing of privacy rights and in others simply
showing how data protection laws continue to tighten.
CALIFORNIA: Violation of Privacy
California recently enacted the California Consumer Privacy
Act (CCPA) of 2018 to address privacy concerns specifically
raised by the Cambridge Analytica incident, where it became
public knowledge that people’s personal information was
commonly being used and sold, without their knowledge.
It’s no surprise that California acted so quickly. Standing
as a data protection bellwether dates back to the creation
of data breach notification. It is also no surprise that it so
closely mirrors the GDPR, even including the classification of
deoxyribonucleic acid (DNA) to the as personally identifiable
“It is important to note
that, the individual’s right
to action is not lost on
the state’s class action
attorneys. The language
used opens the door to
potentially massive class
action lawsuits; a door
that had before been tightly
And, while the CCPA is primarily aimed at shoring up privacy,
transparency, and consumers’ control of their personal
information, just like the authors of the GDPR, California
regulators took the opportunity to add important data
protection requirements and penalties.
1798.150. (a) ( 1) Any consumer whose nonencrypted
or nonredacted personal information, as defined in
subparagraph (A) of paragraph ( 1) of subdivision (d) of
Section 1798.81.5, is subject to an unauthorized access
and exfiltration, theft, or disclosure as a result of the
business’ violation of the duty to implement and maintain
reasonable security procedures and practices appropriate
to the nature of the information to protect the personal
information may institute a civil action for any of the
(A) To recover damages in an amount not less than
one hundred dollars ($100) and not greater than
seven hundred and fifty ($750) per consumer
per incident [per record] or actual damages,
whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
In addition to an individual’s right to action (described above),
the bill also gives the state of California the right to fine the
offender up to $7,500 per record. It is important to note
that, the individual’s right to action is not lost on the state’s
class action attorneys. The language used opens the door
to potentially massive class action lawsuits; a door that had
before been tightly closed.
COLORADO: Disposition & Destruction
Procedures Must Be Documented
Around the same time, Colorado passed a different type of
data protection law. However, while House Bill 18-1128, which
took effect on September was framed as enhancing consumer
privacy, its new requirements, though less ambitious in scope
than CCPA, are more precisely aimed at data protection and
specifically at data destruction.
The first part of Colorado House Bill 18-1128 focuses on breach
notification, shortening the period to provided notice (30
days), and expanding the definition of personal information.
All worthy improvements, but nothing new and exciting.
Where the Colorado law gets interesting, however, is on the
attention it gives data destruction, specifically and clearly