Newton’s third law states that “for every action there is an equal and opposite reaction.” The push and pull of consumer rights legislation and business data use is a good example of Newton’s principle.
As business leverages – and at times mishandles – consumer data, consumers push back through their elected officials to enact legislation intended to bring a balance to the privacy and legitimate business use of their personal data.
In the past five years, there has been a push within state houses and the federal government here in the USA to follow consumer privacy protections that have been established in the EU (GDPR) and Canada (CPPA).
California has made the most significant steps toward consumer privacy protection with the CCPA (California Consumer Protection Act), and other states have begun to follow California’s example.
MSPs need to be aware of the CCPA for several reasons.
- Many of your clients may fall under CCPA jurisdiction.
- CCPA outlines the data security steps that your clients must take to become and maintain compliance.
- Becoming fluent in CCPA compliance not only helps your clients but is a selling feature for your MSP as you speak to prospective clients.
What is the CCPA?
The California Consumer Privacy Act was introduced in 2018 and, along with significant amendments, became law in October of 2019. Proposition 24 was approved by the California voters in the November 2020 election, and when it comes into effect (January 2023) will further strengthen the consumer protections envisioned by the CCPA.
The purpose of the CCPA (2018) was to push back against the sale, misuse, and unauthorized access of the average consumer’s data that is held within a company’s IT ecosystem.
After a short “grace period,” enforcement of compliance to the CCPA began on Jan 1, 2020.
Today, organizations doing business in California must adhere to strict rules surrounding the acquisition, storage, access, erasure, and sharing/sale of private data collected from consumers. Going forward, companies across the USA – and the world – are going to be dependent upon their MSP to help them sort through the mandates of CCPA to bring their company in compliance with the legislation.
According to the Office of the Attorney General of California, the CCPA provides consumers with:
As you can see, compliance to the first three bullet points on the Attorney General’s list are facilitated by data technology within a company. Helping the SMB in their compliance efforts puts your MSP in the place of a trusted advisor and provides you with a unique value proposition.
What Personal Information Does CCPA Protect?
The CCPA is pretty broad in its description of personal information. The Attorney General says that personal information is any data that can “reasonably be linked” to an individual or household.
The list of that personal information includes – but is not limited to:
- name
- address
- email address
- IP address
- financial transaction data
- financial information
- biometrics
- cookies and browsing history
- geolocation information
- personal identification numbers – social security, license, passport, etc.
What Companies Fall Under CCPA Jurisdiction?
It’s important for your MSP to know which of your clients must comply with the mandates of CCPA. Sometimes SMB owners are not aware of their obligations – especially if they don’t have any physical offices within the state of California.
Here’s what you need to know to determine if a client – or a prospective client – is subject to CCPA.
- Your client is a for-profit business. (Nonprofits and governments are exempt.)
- Your client does business in California.
- Your client either directly or indirectly collects personal information from residents of California.
- Your client meets at least one of these three benchmarks for compliance.
- They have a gross revenue of over $25 million.
- They collect, buy, or sell the data of more than 50,000 homes, devices, or individuals within California.
- They get more than 50% of their annual revenue from the sale of California residents’ personal information.
It’s important to note that your client’s business does not need to have an office in California to be constrained by CCPA. They simply have to be doing business with Californians to be subject to the legislation.
What Does CCPA Mean for Your SMB Clients?
Any company – regardless of size – that is doing business with California residents and meets the criteria outlined above needs to put the following into place.
- They need a privacy policy in place and posted on their website.
According to the Office of the Attorney General of California, the privacy policy must “include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale , and the Right to Non-Discrimination.”
- They need CCPA compliance training in place for their employees to prevent the mishandling of data.
- They need cybersecurity, encryption, and other data protection measures in place to avoid penalties related to data breaches.
- They need to post a “notice at collection” before or at the time of private data collection (whether in-person or online). This “notice of collection” will delineate the categories, reasons, and intended uses of the data being volunteered by the consumer. The notice will also include a Do Not Sell link.
- They need to design and enact a process for consumers to avail themselves of their privacy protection rights outlined in CCPA.
- They need to review vendor contracts and implement service provider provisions, ensuring that vendors are in compliance with CCPA.
The Penalties of Non-compliance with CCPA
Challenges regarding your client’s CCPA compliance violations can come from two sources:
- Being sued by a consumer under CCPA
Fines for failure to implement “reasonable” security measures are based on the greater of $100 to $750 for each incident and each consumer involved, or actual damages incurred by the consumer.
- Being audited and fined by the California Attorney General’s Office under CCPA
Fines from the California Attorney General’s Office range from 2,500 to $7500 for each violation.
CCPA-type Legislation – Coming Soon to a State Near You – Maybe Yours
The International Association of Privacy Professionals has undertaken the task of maintaining an up-to-date scorecard of states that are considering and/or implementing consumer privacy legislation. This is their scorecard as of 3/15/2021.
The compilation of the data for this IAPP scorecard is done by the Westin Research Center. Check the IAPP site for their most recent data on state-by-state progress of consumer privacy legislation.
How Your MSP Can Help SMBs with CCPA
- Become their go-to CCPA compliance resource.
Although not everything related to CCPA compliance has to do with technology, you will become invaluable in the eyes of your MSP clients if you can take as much of their CCPA compliance tasks off their plate as possible.
- Encrypt everything.
Make sure that everything from their data collection systems and email to data sharing portals with vendors is encrypted.
- Train employees.
Undoubtedly, you are already pushing your clients to allow you to do cybersecurity training with their employees. CCPA compliance training goes hand-in-glove with that effort and should be a part of that conversation.
- Show them that compliance to CCPA puts them on a good footing to be compliant with GDPR, PCI, and other international compliance requirements.