Beginning Jan. 1, 2020, certain companies doing business in California will have to comply with what is now the nation's strictest data privacy law – the California Consumer Privacy Act (CCPA). The CCPA is an extraordinary piece of legislation regulating the processing of personal data of California residents. If a business processes personal data of Californians and meets certain threshold requirements, the business will be subject to the new law and its potential penalties for non-compliance. Unintentional violations of the CCPA can result in a fine of $2,500 per person affected; a company’s misuse of 100 clients’ personal data would be a stiff civil fine of $250,000. On top of civil fines, the CCPA provides a private right of action for those affected by certain data breaches.

The CCPA is certainly the most onerous data privacy law in the U.S. and may become the benchmark for the future of U.S. data privacy regulation. U.S. data privacy laws have traditionally only applied to certain industries, such as financial and educational institutions or healthcare providers. In the wake of multiple public personal data privacy scandals and Europe's adoption of its sweeping General Data Protection Regulation, the U.S. is rethinking how to regulate the processing of personal data. 

Members of Congress currently disagree whether a federal law should preempt stricter state laws or simply serve as the baseline requirement. In the meantime, a variety of data privacy bills have appeared in New York, Illinois, Maryland, Pennsylvania and several other states. While Indiana has not yet taken steps toward its own data privacy law, Indiana businesses will soon have to comply with other states' laws or perhaps a new, all-encompassing federal law – and it’s in their best interest to start the process now.

Data privacy laws may differ across industries, states and countries, but the first step to compliance is generally the same: you must understand your company's "data ecosystem." That is, how does your company collect, use and share personal data, and for how long is it kept. This is typically achieved by taking inventory of all personal data your company collects or stores and mapping how that personal data travels within your organization and to outside third parties. Once completed, you can identify which personal data elements may be impacted by data privacy laws and begin developing internal standards, policies and procedures to meet your company's compliance obligations.

Forward-thinking Indiana businesses would do well to start tracking their personal data like they do their dollars. In our mergers and acquisitions practice, we are seeing acquiring companies upping the due diligence on target companies’ data privacy practices. As data becomes more and more important to the national and global economy, Indiana businesses would do well to start understanding their data ecosystems today.

Brett Wilson is a member of the Mergers and Acquisitions Practice group at Densborn Blachly, LLP.