California Records Management Laws, 2019 Update

These are the five most important records management laws affecting California businesses in 2019.

One of the more significant media threads of the last couple of years in America is consumer privacy—who has access to our data and how they use it. This desire for consumer privacy also comes with a desire for greater transparency when it comes to both corporations and government agencies. In 2018, California made big waves with three new pieces of information legislation covering both consumer privacy and public records transparency.

The number of records-related regulations you have to keep track of and integrate into your records management policies can seem overwhelming, we know. So we’ve worked up a handy, up-to-date guide to the five most important records management laws to help keep California businesses on the right side of the law.


California Consumer Privacy Act

Most businesses are still in the thick of adjusting to this law, which was signed into effect on June 28, 2018. Though it’s technically a local law that applies to Californians, it’s viewed as a standard-setting privacy law for the United States.

The main thrust of the CCPA is that consumers have a right to know what personal information is being collected from them and whether that information is being sold or disclosed to a third party. It also gives them the right to disallow a company from collecting or disclosing that information—and the right to be forgotten.


General Data Protection Regulation (GDPR)

This legislation, passed by the EU in May 2018, is what California’s CCPA legislation was modeled after. Hence, the GDPR requirements for California businesses are also similar. The rules apply to any business that operates a website that can be viewed in the EU.

Compliance continues to be an issue for companies, including several based in California. The Los Angeles Times has opted to block traffic from the EU to avoid the possibility of being fined for noncompliance and Google was recently hit with a €50 million fine by France for violating GDPR. Only 12% of U.S. companies were fully GDPR compliant in 2018, according to an eMarketer study.


Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a federal records management legislation designed to safeguard personal medical information, including medical records and any other identifiable health information. It’s a common misnomer that it applies only to companies in the health sector like hospitals, health tech firms, and doctors offices. Not so. As we’ve shared before, a HIPAA horror story can befall any company that handles employee health data via medical claims and other benefits related information.

HIPAA is so critical to any business that the consequences of being found asleep at the HIPAA wheel bear repeating. In 2013, the government increased penalties for HIPAA violations to a maximum of $1.5 million.

Although the current administration is in favor of a more relaxed regulatory environment, HIPAA enforcement isn’t exactly winding down. While the number of companies on the receiving end of fines and lawsuits by the Department of Health and Human Services decreased from 13 in 2016 to 10 in 2018, the amount of those fines and settlements increased from $23.5 million in 2016 to a record $25.7 million in 2018.


California Data Breach Notification

This statute requires companies to notify any California resident that an unauthorized entity acquired their information, and if the number of residents affected is over 500, the company must file a notification of the breach with the Attorney General.

The last update to this statute was in 2016, but the passage of the California Consumer Privacy Act could affect what constitutes a breach, if personal data is collected against a person’s will. It’s not hard to imagine scenarios in which consumers who have opted out of data collection discover that a company hasn’t correctly implemented their opt-out policy, and their data has ended up in the hands of an unauthorized entity.


California Senate Bill 1421 and Assembly Bill 748

California Governor Jerry Brown signed into law two huge pieces of information-related legislation in 2018: Senate Bill 1421, and Assembly Bill 748. Both deal with police records, and if you’re a municipality, you need to know what is and is not required with these new laws.

Senate Bill 1421, which is already in effect, requires state and local agencies to make records of misconduct investigations available to the public. This includes investigations into shootings, uses of excessive force, and sexual assault allegedly committed by “peace and custodial” (i.e., police) officers. These records, though, will have to be redacted to remove information like personal addresses and telephone numbers. (The Los Angeles Times has a good rundown here, and the full text of the bill is here.)

Assembly Bill 748 allows the release of body camera footage and audio recordings. Footage and audio recordings may be withheld for 45 days if its disclosure interferes with an active investigation. This law will go into effect on July 1, 2019. (Full text of the bill is here.)

Stay on the right side of the law. With a little help.

The penalties and risk to your company’s reputation if you break these laws pose a giant risk to your business. But Corodata can help.

let’s talk


Updates Regulation P To Implement Legislation Amending Gramm-Leach-Bliley Act | Bureau of Consumer Financial Protection 2018 Sarbanes-Oxley Survey | Protiviti HIPAA Enforcement Expectations and Updates for 2019 | JD Supra How US Comanies Are Becoming GDPR Compliant | eMarketer