California Passes Its Own GDPR Law

Uploaded on 2018-07-10 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The European Union’s General Data Protection Regulation (GDPR) is widely viewed as a massively expensive and burdensome privacy regulation that can be a major headache and pitfall for American firms doing business in Europe. Many firms, including Facebook, have sought ways around the law to avoid having to deal with the burden of compliance.

Well, there is no weaseling out now. Recently, with no fanfare, California Governor Jerry Brown signed into law AB375, the California Consumer Privacy Act of 2018, the California equivalent of GDPR that mirrors the EU law in many ways.

The law will give the State's 40 million residents the right to view the data that companies hold on them, make corrections to it, and request that it be deleted and not sold to third parties.

Facebook tried to get around the European regulations by shifting its entire European user base to US protections, but it didn’t work. The day GDPR went into effect, Facebook and Google were sued for a total of $8.8 billion by one privacy advocate in Austria.

Any company that holds data on more than 50,000 people is subject to California's law, and each violation carries a fine of $7,500. That may not seem like much, but it can add up when tens of thousands of users are involved, as they usually are.
Opposition to California Consumer Privacy Act of 2018

The Internet Association, a trade association of all the major Internet companies, issued a statement critical of the rushed process to pass the bill.

“Data regulation policy is complex and impacts every sector of the economy, including the internet industry. That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning,” said IA's vice president of state government affairs, Robert Callahan, in a statement.

“The circumstances of this bill are specific to California. It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike,” he added.

He’s not kidding on the expediency of the bill’s passage. The bill was first introduced in February 2017 but set to inactive in September. It was revived on June 21 and sped through the process, with unanimous votes in the state Assembly and Senate. Brown signed it literally hours after its passage. Why was it rushed? The Register reported that two very politically savvy individuals were working on a ballot initiative to do the same thing. What scared Sacramento is that ballot initiatives, once passed, are hard to change. That’s why Proposition 13 has survived so many years.

The tech sector and Sacramento bureaucrats were faced with a choice: pass their legislation that they could change later and hopefully persuade the duo to pull their ballot initiative, or they could roll the dice on a ballot initiative that, if it passed, would be much harder to change in future.

With the legislature and Governor Brown giving the two advocates what they wanted, the pair didn’t file for a fall ballot spot, even though they had enough signatures.

How the California Consumer Privacy Act of 2018 affects Companies' Data Center Operations
What happens now? If you do business in California, you have to comply with the law, and so does any company that you sell customer data. If they violate the law, you are on the hook for it. And you have to add a “Do Not Sell My Personal Information” link to your site. No doubt the law will be challenged, and the ballot can always come back if the law is weakened or overturned.

If you are potentially impacted by GDPR in any way, you should have already done some compliance. Now, if you do business in California you will have to, even if you aren’t in the State.

Basically, all the best practices for GDPR apply here. This means making sure all of your data is accurate. Now would be a really good time to revisit customer and mailing lists because if there are inaccuracies you can find it will save the trouble of doing it later. Old, outdated or obsolete data can be removed.

Make sure all data collection channels know of the new rules and adjust accordingly to take in correct data and quickly get at it to make changes or removals. Make sure to document data handling rules so everyone who handles data, either for intake, editing or management, knows what is expected.

Companies impacted by GDPR are being encouraged to hire data protection officers or something similar. Given the sensitivity of data breaches, that might be a good practice even without the law.

Take a complete inventory of your customer data and make sure you know where everything is. If a consumer requests their information, you must provide it free of charge within 45 days. That is not the time to go rummaging through databases for their information. And if you are informed of noncompliance with the law, you have 30 days to respond. 

So, expediency is paramount. That means knowing where everything is. The only good bit of news is it doesn’t go into effect until January 1, 2020. Of course, anything can happen between now and then. But at least companies have time to get into compliance.

Network World

You Might Also Read: 

Is GDPR Good For SME Data?

GDPR - More People Will Share Data:

 

« Five Tips To Secure IoT
ICO Fine Facebook Half A Million Pounds »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Applicure Technologies

Applicure Technologies

Applicure Technologies develops the leading multi-platform web application security software products to protect web sites and web applications from external and internal attacks.

Government Communications Headquarters (GCHQ)

Government Communications Headquarters (GCHQ)

GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

D-Fence

D-Fence

D-Fence high availability security service protects corporate email communication, the company and it's employee's against cyber threats.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Norwegian Business & Industry Security Council (NSR)

Norwegian Business & Industry Security Council (NSR)

NSR is a member organization serving the Norwegian business sector in an advisory capacity on matters relating to crime and security including cyber.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

Styra

Styra

Styra allows companies to secure cloud environments and applications, including those built on the popular Kubernetes open-source cloud platform.

MicroEJ

MicroEJ

MicroEJ is a software vendor of cost-driven solutions for embedded and IoT devices.

Deepwatch

Deepwatch

deepwatch’s cloud SecOps platform and relentless customer focus are redefining the managed security services industry.

Stealth-ISS Group

Stealth-ISS Group

Stealth–ISS Group is your extended IT, cyber security, risk and compliance team, providing strategic guidance, engineering and audit services, along with technical remediation and security operations.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

NetGain Technologies

NetGain Technologies

NetGain Technologies helps small to medium-sized businesses gain access to expert IT talent. We provide strategies that use technology as a driving force behind business growth.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

nodeQ

nodeQ

At nodeQ, we are pioneering the future of computer networks, leveraging our deep expertise in quantum communication, artificial intelligence, and software-defined networking.

Nexio

Nexio

We are Nexio. We help organisations take every NEXT step toward their accelerated digital transformation.

Halo Security

Halo Security

Halo Security is a fast, easy, and scalable external attack surface management platform that gives security leaders deep visibility into their internet-facing assets.