What MSPs Need to Know About the California Consumer Privacy Act

Companies doing in business in California may be required to give consumers greater control over the data that’s collected and how it’s used — and they’re looking to MSPs for help complying with the act.

In 2018, California passed the California Consumer Privacy Act, which gives consumers control over whether businesses collect, share or sell their personal information. The act also gives people the right to delete their data, requires opt-in before a business sells personal data of people younger than 16, and holds businesses accountable for data security.

Michael Flavin, Director of Technology Sales for Saalex Information Technology, says their customers are asking for help more often as the January 1, 2020 deadline — when the law goes into effect — approaches. Businesses also have a lot of questions and are turning to their trusted managed service providers (MSPs) or IT solutions providers for answers. Here are answers to some of the most common questions:

    • How can businesses know if the California Consumer Privacy Act applies to them?

Flavin says the CCPA law affects all companies with at least $25 million annual revenue that deal with California consumers, whether the business is based in California, in another state, or even overseas. It also applies to businesses that gather personal data of at least 50,000 consumers or collect more than half of their revenue from the sale of personal data. Flavin points out that California allows businesses to offer financial incentives to consumers who share their private data, but they must opt in.

    • What are the reporting requirements?

If a consumer requests a report of their data from a business or a third party from the previous 12 months, business must provide it within 45 days. If there is a notice of violation, the business has 30 days to comply. Flavin adds that businesses are not required to report breaches — consumers must file complaints.

    • What are the penalties for noncompliance?

Flavin says your customers need to be aware of potential fines: up to $7,500 per record for civil suits and possible class action suits with $100 to $750 per consumer per incident (intentional or unintentional). “These can add up,” comments Flavin. 

How MSPs Can Help their Clients Comply with the California Consumer Privacy Act

To help your clients comply with the act, Flavin says a good place to start is by performing a risk assessment and review and assess a business’s current data protection policies and procedures. Managed security service providers can also make recommendations to implement a privacy and security plan.

“Businesses need to perform assessments of their data processing, storage and protection procedures in order to identify any areas for potential breaches,” says Flavin. “This might involve all departments inventorying their applications that house personal data and mapping how data is transmitted across shared or collaborative environments.”

Flavin says businesses are also concerned about protecting the rights of consumers, so it’s vital to give priority to solutions that provide transparency into data collected on individuals, how it’s used, and how to identify it and respond to requests to delete it.

With the CCPA enforcement deadline just a few months away, it’s also a great time to speak to your clients about security, since the act requires that “reasonable security measures” are in place.

With GDPR going into effect last year, the California Consumer Privacy enacted, and more government entities likely to address the issue of consumer privacy in the future, the solutions you develop can have value to any of your clients that want to implement best practices for managing data and keeping consumers’ personal information safe. Is your business ready to address this need?