If your Connecticut company does business in California, it could be subject to the new California Consumer Privacy Act, which takes effect Jan. 1, 2020.

The statute imposes a number of requirements on businesses related to the collection, use, and transfer of personal information.

The law applies to companies that collect personal information and have $25 million or more in annual gross revenue.

Among other things, a business subject to the new law must be able to respond to requests about what personal information it collects, shares, and sells involving California consumers.

In some cases, businesses are required to limit or stop sharing California consumers' personal information, provide consumers with a copy of their data, or delete the data upon request.

Connecticut lawmakers earlier this year proposed a consumer privacy law but opted against it after CBIA and others testified about its negative impact on small businesses.

The Connecticut legislature instead created a task force to study the issue.

Costly Consequences

Failing to comply to the new California law can be costly.

The California attorney general is authorized to enforce the new law, which provides a private right of action—with statutory damages of $100 up to $750 per consumer per incident—for data breaches caused by a business' failure to implement reasonable security measures.

Given those stakes, companies and organizations that do business in California and collect personal information relating to California residents need to prepare.

The law applies to companies that:

  • Do business in California
  • Collect personal information
  • Determine, alone or with others, the method of processing that information
  • Have annual gross revenues more than $25 million
  • Annually buy, receive for commercial purposes, sell, or share for commercial purposes the personal information of at least 50,000 consumers, households, or devices
  • Derive at least 50 percent of annual revenue from selling consumers’ personal information

California officials acknowledge that obligations created by the privacy act do not neatly align with the European Union's General Data Protection Regulation.