California has just imposed a significant new set privacy and data security requirements that will impact a significant percentage of consumer-facing businesses in the US. Companies will have to implement new procedures as they collect, sell, and disclose consumer data, and they now have a statutory obligation “to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

The California bill defines “personal information” very broadly to include identifying information that is not usually thought of as highly sensitive, such as the phone number or IP address of a California resident. (In this way, it is much more like the EU’s recent GDPR than like most US-based privacy and security standards.)

The bill takes effect on January 1, 2020. It applies to any company doing business in California that has at least $25 million in total revenue, or that holds at least 50,000 consumer records, or generates at least 50% of its revenue from the sale of personal information.

Many US-based companies have relatively soft data privacy and data security programs. For those companies, the California Privacy Act is your wake-up call. It is going to take time, effort, and commitment to meet these standards. If you do not start the process soon, you are going to come up short. And although you may not think that the California Attorney General cares enough about your business to take enforcement action, companies that do not take the necessary steps will be easy targets for class action plaintiff lawyers that will find you, sue you, and cost your business far more than you will spend complying with these new requirements on the front end.

It’s time to get serious. Contact a lawyer who focuses on data privacy and security, get management’s approval to take the steps necessary to ensure compliance, engage the right technical help, and let someone else get sued in 2020.