At the end of June, California Governor Jerry Brown signed into law AB 375, the California Consumer Privacy Act of 2018. This law is the California equivalent of GDPR; and it affects all companies who do business in California and any company that the business sells customer data to.
Like GDPR, the law gives California residents the right to view the data that companies hold on them, make corrections to it, and request that it be deleted, as well as not sold to third parties. In fact, businesses have to add a “Do Not Sell my Personal Information” link to their site.
What is also important to know about the law is that any company that holds data on more than 50,000 people is subject to California’s law. Also, the California attorney general can sue for $7,500 for each intentional violation of privacy; and the new law holds companies accountable for any data breaches, allowing consumers to sue them up to $750 for each violation.
Law AB 375, the California Consumer Privacy Act of 2018, states: “Damages range from $100 to $750 per consumer per incident, or based on “actual damages, whichever is greater.”
Even though this amount may not seem like much to some companies, it adds up when tens of thousands of users are involved in a compliance violation.
If you already comply to best practices for GDPR you’re a step ahead of the game to avoid these burdensome costs. What this means is that your business:
- Knows where and what data it holds.
- Knows the accuracy of that data.
- Has updated any inaccuracies in the data.
- Has removed all old, outdated or obsolete data, and plans to do so ongoingly.
- Has ensured all data collection channels know of the new rules and have adjusted accordingly or will adjust accordingly and remove or make changes to data they store.
- Has set up a way to document how data is handled every step of the way (from the moment data gets stored).
- Has set up rules regarding data handling to ensure everyone in the company who handles data knows what is expected of them.
Due to the magnitude of the data businesses have in this digital era, it isn’t that simple to get eyes on everything and organize it without some help to ensure nothing gets missed or kept out of place moving forward. This is one of the reasons why GDPR encourages hiring a data protection officer.
Also, according to California’s law, a business has only 45 days to provide, free of charge, all the information they have on a consumer when a consumer requests such information. Additionally, if found to be noncompliant with the law, companies have 30 days to respond to the situation and show compliance.
Having an expert that is already involved in assisting businesses meet compliance requirements such as those set forth by GDPR, NIST 800-171 or HIPAA enables a business to quickly gain an assessment and know where they stand with the California Consumer Privacy Act of 2018 compliance requirements, as well as have a proactive plan of what steps to take next to meet compliance and avoid fines.
Even though the California Consumer Privacy Act of 2018 doesn’t go into effect until January 1, 2020, it’s best to get a head start instead of waiting until the last minute.
Plus, if you’re a business that does or plans to do business with EU citizens, GDPR is in effect and it’s pretty safe to say that compliance laws such as these ones won’t stop with Europe or California.
Photo courtesy of docstockmedia