California’s New Privacy Law: A Surge of Litigation and Fines Expected

August 07, 2018

By Brad Gorenflo and Britt Eilhardt

In the wake of the GDPR’s recent enactment and increased cyber security regulations on the international stage, California has passed legislation that offers consumers more legal avenues to bring claims against companies utilizing their personal data. The California Consumer Privacy Act (CCPA) passed into law on June 28, 2018, and will take effect in 2020. Prior to CCPA’s passage, most data protection laws in the United States have done little to limit what businesses can do with consumer information, which makes the California privacy measure one of the most comprehensive in the United States. It is expected that other states will follow California’s lead in instituting increasingly tougher privacy laws.


The CCPA will apply to any company that does business with customers in California and either (1) has more than $25 million in annual gross revenue; (2) buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50 percent or more of their revenue from the sale of consumers’ personal information.

Under the CCPA, the State’s Attorney General is granted more authority to fine businesses that do not adhere to the new regulations. Most significantly, the CCPA provides a framework for consumers to bring private actions for data breaches absent a showing of particularized and concrete consumer harm. This lower threshold for standing is expected to result in a wave of consumer litigation and class actions.

The resulting losses from violations of the CCPA may be significant. Businesses will be given 30 days to address and fix a violation before being fined. After the 30 day period, the State Attorney General can bring suit against a business for $2,500 per violation and up to $7,500 per intentional violation of privacy, while consumers may be able to sue for up to $750 for each violation. With fines being applied per consumer, per incident, non-compliant businesses need to prepare for a potential flood of consumer-driven litigation, class actions, and pile-up of fines.


The CCPA exclusively protects California consumers and gives them the right to know what information businesses are collecting about them, why they are collecting the data, and with whom they are sharing their data. Consumers will have the right to tell businesses to delete their information and to not sell or share their data. As for the businesses utilizing personal data, the CCPA will require them to give consumers who exercise these rights the same quality of service – meaning businesses cannot deny goods or services or charge different prices or rates. The CCPA will also require businesses to obtain permission before selling any information of children under the age of 16. Moreover, the definition applied to personal information in the CCPA is broader than most (if not all) statutory definitions and includes, for example, biometric data, internet activity, and consumer profiles.


It is important to discuss with your insurance broker the details of the CCPA and how your cyber policy may respond.

Download the white paper here.

BRITT EILHARDT is a Vice President, Cyber Claims Specialist in Beecher Carlson’s Executive Liability Practice in New York. She is dedicated to working with clients in navigating cyber claims from breach to resolution, swiftly connecting clients with vendors in the event of a breach, reviewing and drafting cyber policy forms and market enhancements, and strategizing with clients on coverage concerns.  Britt is an attorney who previously litigated insurance coverage matters in state and federal courts. She is a member of the New York and New Jersey State Bars. She can be contacted at

BRADFORD GORENFLO is a Legal Intern in Beecher Carlson’s Executive Liability Practice in New York. He is a rising second-year law student at New York Law School where he is concentrating on Business and Corporate Law courses with an interest in Compliance in the financial industry. Prior to law school he gained valuable experience working for a real estate law firm assisting with closings for cooperative and condominium transactions and property re-investments. Bradford has BA in Economics and Political Science with an emphasis in Public law from the University at Albany. He can be contacted at and

This article is intended for informational purposes only. It is not a guarantee of coverage and should not be used as a substitute for an individualized assessment of one’s need for insurance or alternative risk services, nor should it be relied upon as legal advice, which should only be rendered by a competent attorney familiar with the facts and circumstances of a particular matter. Copyright Beecher Carlson Insurance Services, LLC. All Rights Reserved.