California's new AB 375 privacy law is not as bad as GDPR, but the details are still in flux. CCPA does not have some of GDPR's most scary requirements like the very short 72-hour window in which an organization must report a data breach but in other areas it goes even further than GDPR. So, how do you get and stay compliant? CSO Online has a good executive summary:
What is the CCPA?
AB 375 allows any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. In addition, the California law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach.
Which companies does the CCPA affect?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law. In addition, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, also fall under the law. Companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
An amendment made in April exempts “insurance institutions, agents, and support organizations” as they are already subject to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
When does my company need to comply with the CCPA?
The law went into effect on January 1, 2020, but enforcement began on July 1.
What happens if my company is not in compliance with the CCPA?
Companies have 30 days to comply with the law once regulators notify them of a violation. If the issue isn't resolved, there's a fine of up to $7,500 per record. "If you think about how many records are affected in a breach, it really increases very quickly," says Debra Farber, senior director for privacy strategy at BigID. Since the bill was put together and passed in just a week, it will probably see some amendments, she adds. "Things like the fine amounts are likely to change."
How To Get And Stay Compliant?
In short, look at what the controls are that you need to comply with, Find out who can be responsible for each control and task them with that specific control and the frequency (like check event logs once a month), then implement a routine to make sure these controls are in place and stay up-to-date. The KnowBe4 KCM GRC compliance module has CCPA as one of the managed templates that you can use to prevent compliance problems with this new law.