New state privacy laws mean doing business in California will come with new levels of compliance. To avoid complications – and hefty fines – follow this simple guide.

The first half of fiscal 2018 was festooned with the lead balloon of the General Data Privacy Regulations. An EU initiative years in the making, GDPR aimed to protect European citizens’ personal data online, and as any international company would include a European employee, customer, or contractor somewhere along the way, failure to comply with Brussels’ legislation would result in the kind of fines that could put your lights out for good.

Like the fidgety lead-up to Y2K, there were prognosticators and doomsayers, but aside from a few lawsuits aimed at big game trophies like Facebook or Google, GDPR’s implication date of May 25th passed mostly without incident.

Now, just when you thought it was safe to kick back and congratulate yourself on your glocal business being GDPR compliant, some yahoo in California’s gone and added another layer to this digital tiramisu.

The California Consumer Privacy Act (CCPA), a bill passed as AB-375, means that a business collecting, storing or selling any Californians’ personal information will have to fall in line to this new legislation. We’ve got until January 1st, 2020, to get this done.

As it was with GDPR, firms have some time to lawyer-up and get CCPA compliant to avoid fines currently set at $7500. This amount, as well as what the act will actually enforce could change between now and activation day, the underlying premise remains: Legislators “are concerned that misuse of personal data may have ‘devastating’ effects for individuals, including financial fraud, identity theft, unnecessary costs to personal time and finances, destruction of property, harassment, reputational damage, emotional stress, and even potential physical harm.”

Providing the kind of legal advice market innovators will need to assure compliance, international law firm Cooley has put together an FAQ on the subject, starting with who will need to get what straight in the next two years.

If you are a company with annual gross revenues over $25 million; if you obtain personal information from over 50,000 California residents, households or devices per year; or if selling any combination of this information accounts for more than 50 percent of your annual revenue; best pay attention and call Cooley.

Hey, my business isn’t based in California, this doesn’t apply to me.

Although there are grey areas state-by-state, if your business is online and you have even one customer from California, best to consider yourself as on the hook.

Ok then. Define customer.

California law would define customers as Individuals in the state for other than temporary or transitory purposes, and Individuals domiciled in the state who are outside the state for a temporary or transitory purpose. But since this definition is not limited to residents that buy goods and services, “consumers” would also include others, like, for example, an organization’s employees residing in California.

Fine. Now what does the CCPA define as “personal information”?

Well, a lot. There are the obvious things like your real name, postal address, IP address, email address, social security number, or driver’s license number. But it also encompasses commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies. And of course, your geolocation data. See a more comprehensive list in the Cooley FAQ.

But my company already went through GDPR and passed with flying colors.

Congratulations on that. Must have been no small feat. However, you will have to address the CCPA framework separately. Obtaining consent, for example, is a different process, and EU regulatory enforcement has, to date, been limited. In the US we expect more rigorous regulatory oversight. As such, to reduce clear and present risk, CCPA compliance will necessarily be more involved and precise. You’re not out of the woods yet.

And if one were to just ignore it?

Those found to be in violation would be subject to penalties pursuant to a civil action by the California attorney general, as set forth under Section 17206 of California’s Business and Professions Code. This provides for penalties up to $2,500 per violation, and a company found to have violated the CCPA intentionally would be liable for up to $7,500.  

So if I take care of all this now I’m good.

Given this law being passed so quickly, and the number of companies that would be affected already kicking up a fuss, the details will have to be monitored as January 2020 approaches. Stay tuned as we report new details as they come to light.

Just when GDPR was starting to feel manageable, California piles on by passing sweeping new online privacy law. Don’t worry, HR. SmartRecruiters got your back.

So, you’re a hiring manager at an international company sitting in Silicon Valley. You’ve been studiously, judiciously, taking your anti-anxiety medication through the run-up to and implementation of the European Union’s General Data Protection Regulations, making sure all the personal data you’ve stored complies with the directives from Brussels, and so far, your company hasn’t been fined. Post-May 25th tensions have dialed down and everyone on your team knows what needs to be done to protect the data of candidates, as well as past and current employees. This is good.

And then the California state legislature goes and unanimously passes AB-375, set to go live in January 2020, quoted in Fortune as “almost European-grade privacy rules”.

And if Europeans felt that the GDPR framework came from too high up with too little consultation, Californian Robert Callahan, vice-president of state government affairs for the Internet Association, feels about the same. “Data regulation policy is complex and impacts every sector of the economy, including the internet industry,” he said. “That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”

It’s still early days and future experts are just now boning up, but while we can expect the same kind of anxiety and speculation that occurred around GDPR, SmartRecruiters has made sure that no matter the size of your business, we provide global compliance features to keep you covered, as of, well, right now.  

That means even our smallest customers will be able to:

• Set a Privacy Policy (default or country-specific)
• Set a Data Retention Period (default or country-specific)
• Turn on GDPR Setting Automatic Deletion (default or country-specific)
• See what privacy advice is given based on country or countries of operation

More on this to follow as Big Tech hits back at the new law, and we investigate the ins and outs of what California companies will have to do to comply with yet another layer of data privacy protocol.