Make no mistake about it, California has passed a digital privacy law that impacts the national and global economy and represents a seismic change for compliance procedures in the US in much the same way that GDPR has changed privacy rules. Not only because California has the fifth largest GDP on the planet, but because of the simple fact that companies are not likely to create dual systems of mapping and processes to differentiate between Californians and its other customers.
Our prior blog commented on the new law’s concept of “presumed damages,” meaning that the new law makes it possible to make a claim based on the exposure of the information alone regardless of whether the claimants can show that the hack resulted in any actual misuse of their information. You may note that the different federal Circuits have been split on this core issue with some jurisdictions requiring a claimant to show at least a modicum of actual injury before maintaining a suit while other jurisdictions found that the exposure of the information in and of itself is a cognizable damage. This was one of the core issues in the highly publicized Ashley Madison litigation where subscribers of popular dating website for married persons were challenged by the defendants because the hacked personal information was not used by anyone to cause actual damages to the plaintiffs. Given the sheer number of hacks that occur regularly, this presumed damage concept has the potential of creating a litigation tidal wave of claims and financial exposure notwithstanding a company’s best efforts to keep its customer data safe. This portends an ugly rash of attorney trolls who, like their copyright troll counterparts, will take advantage of the presumed damages to line up “victims” hoping to cash in on the minimum penalties multiplied by large class sizes. When you consider the immense size of California’s consumer population coupled with the practical difficulty of creating dual systems by companies, California has in effect passed a national law as it pertains to compliance planning.  We note that at least eleven (11) other States have initiated similar measures in their respective State legislatures which could mean that there will be differing standards with inconsistent rules that would complicate compliance for companies with operations in different States.
While the intent of the various States’ legislatures is genuine- to protect its citizens from abuse of their personal digital information- the implementation of far reaching State laws that define how interstate e-commerce is conducted may be challenged by federal law’s preemption under the “Commerce Clause” of the US federal Constitution. Generally, this means that while States retain authority to legislate on behalf of their own citizens, undue burdens placed on interstate commerce would conflict with Article 1, Section 8 of the Constitution and may be challenged. Even though AB375 is limited to businesses that do business with California residents and thereby does not discriminate on its face, it can be argued that the practical effect of the law does place an undue burden on interstate commerce. Also, since AB375 contains an income generating mechanism for California - some would even say a new tax on businesses given the frequency of cyber data exposures - we can envision a Commerce Clause challenge.
It is important to note that the California Legislature is permitted to offer amendments to the law prior to its effective date in 2020. We hope that this time may be used to reconsider this presumed damage aspect of the law and consider companies’ use of best available technology to harden its system against hacks. While AB375 does provide an ability to avoid some of the penalties by allowing companies to cure a failure to provide information to a consumer, there are no safeguards to avoid the imminent litigation floodgate that presumed damages will unleash. Perhaps the answer lies in a federal response, similar to GDPR, which provides a level of certainty by a single unified law rather than a patchwork of different State’s laws like AB375.
To find out more about the new California Privacy Law (AB 375), plan to attend Archive360’s upcoming webinar titled: Understanding the California Privacy Act scheduled for August 9 at 11:00 am ET.
 AB 375; https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB37
 The Supreme Court has ruled that for a recognizable damage to exist, the “threatened injury must be certainly impending.” Clapper v. Amnesty Int'l USA, 568 U.S. 398, 409 (2013). Mere “allegations of possible future injury are not sufficient.” Yet, there is a split among Circuits as to whether the fear of a future identity theft resulting from a data breach is a recognizable damage. The Sixth, Seventh, and Ninth Circuits permits damages arising solely from a fear of future identity theft. Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015); and Krottner v. Starbucks Corp.,
628 F.3d 1139 (9th Cir. 2010). The Fourth, First, and Third Circuits have found the opposite.
See Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, No. 9
16-1328, 2017 WL 1740442 (U.S. June 26, 2017); Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir.
2012); and Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). We note that California is within the Ninth Circuit where the Starbucks case was decided.
 The ability to collect on a claim without showing actual damages under AB375 is limited to California residents, however.
 See, AB375, Section 1798.155 (b),(c) and 1798.160.
 See, AB375, Section 1798.150 (b)(1).