Maksim Kabakou - stock.adobe.com
In the wake of the European Union's 2018 General Data Protection Regulation, the California Consumer Privacy Act kicked in on Jan. 1, ushering in statewide legislation with striking similarities to the GDPR. Channel firms that operate businesses in California, or have clients in that state, are taking stock of how CCPA requirements affect both their customers' and their own business operations.
The CCPA applies to organizations with annual gross revenues of $25 million or more; those that buy, receive, sell or share personal information of 50,000 or more devices, consumers or households for commercial purposes; and/or derives 50% or more of annual revenues from selling the personal information of consumers, according to the legislation.
All California businesses must cooperate with consumer requests to verify, delete or change personal information stored by the organization, noted Patrick Monaghan, chief legal officer and general counsel at SADA Systems, a cloud technology consultancy and Google Cloud partner based in Los Angeles. In response to CCPA, SADA is inventorying its data and ensuring adequate segregation and encryption measures are in place, he said.
"Depending on the nature of your business, you have different levels of compliance responsibility," Monaghan said. "We have a flurry of requests from consumer-facing businesses in California that support and facilitate requests from consumers to delete or change their data."
Monaghan stressed that SADA is not offering compliance services and doesn't have a stand-alone CCPA-related offering. The company is "making sure [we tell] our customers who have primary responsibility for this data … we'll support them in furtherance of compliance by providing the inventories and honoring our obligations to manage, support and protect their consumers' data."
CCPA uncertainty lingers
Expect there to be some confusion over CCPA since MSPs outside of California also need to pay attention to the new law, observed Charles Weaver, CEO of the MSPAlliance, which published a guide on CCPA readiness for MSPs.
"We will likely be seeing many customers seeking out the advice of their MSPs in order to prepare for and become compliant with CCPA," Weaver said.
There are many similarities between GDPR and CCPA requirements, and companies remain uncertain about how CCPA will be enforced, he said. "Like GDPR, we didn't know until a year after it had gone into effect."
Monaghan agreed. The CCPA law is "very daunting because [it] was fairly hastily rolled out, and there's a lot of questions about interpretation and applicability, and it will be some months before issues will be addressed by the attorney general," he said.
Monaghan believes California's attorney general is required to issue regulations, or more specific details, about the law by July 1. The state can't bring any enforcement actions before then. "Effectively, you're supposed to be complying by day one, but [California is] giving people a 'soft opening' since questions will be raised," he said. In the meantime, "we are certainly cooperating with our customers' needs and haven't found institutional resistance with third parties we call upon to help us meet our obligations."
What to know about the CCPA requirements
Christina Walker, global director for channel at Blancco Technology Group, a firm based in Austin, Texas, that provides data erasure software, said the vendor is working with its channel partners to understand how the CCPA applies to partners that support California businesses.
"It's very much a consumer-driven regulation," Walker noted. The CCPA "has elements of the GDPR," but it gives a consumer the ability to take two actions. First, the consumer can be proactive and ask to opt out of marketing activities a business has. As a result, it mandates companies to put an opt-out clause on their site so consumers can do that upfront. The second action a consumer can take is ask for their data to be deleted if they have existing business with a California company.
"Where that comes in with partners is not so much that they need to be regulatory specialists, but they do need to understand the regulatory components so they can propose solutions to the businesses that have to adhere to what the consumers are asking [for]," Walker said.
SADA "from time to time collects personal information from consumers who are interested in Google," Monaghan noted. Because of that data-collection practice, the firm trains employees and has created a number of safeguards around how that information is gathered to ensure they are meeting their data privacy obligations.
"We have a formal training program and are doing a data inventory gap analysis right now … to identify what changes we need to make when we first engage with a customer," he said.
SADA is also updating its privacy policies and, in some cases, changing its standard operating procedures about how and when the company collects personally identifiable information from a customer. It is either done at the point of entry on the web or deferred until there is an agreement in place.
How partners can help their clients
There are three levels of responsibility under the new law: your responsibility as a customer-facing business, as service provider and as a third-party collecting information from a source other than a consumer, Monaghan said.
"We work closely with channel partners for other resell opportunities -- so, non-Google partners -- where we may convey information related to a sales lead that we share with a third party," he explained. "We want to make sure they have processes in place to meet their obligation."
The opportunity for MSPs is to provide offerings that satisfy a consumer's rights under the CCPA, according to Walker. "Proactive partners provide a consultative approach to their [clients] and are saying, 'Do you have a plan if a consumer enacts this right?' They will also be asking their customers, 'What's your plan if they want to do an opt-out or if a consumer wants you to remove their data? How will you do that and prove it?' That's where our partners can really help their customers meet the CCPA," she said.
So far, Blancco hasn't found many challenges with California's new legislation because some of the businesses they work with already have processes in place for GDPR compliance. "The complexity is going to come with those businesses that do not have an international arm and those that are net-new," Walker said. The firm has been educating its "impacted partners" for the past six months, she added.
The best advice for MSPs is to be aware of customers that must comply with CCPA requirements and the type of data those customers have you managing, Weaver said. Knowing those two things will prepare most MSPs for CCPA, he added. In addition, MSPs should have their service agreements reviewed to ensure CCPA compliance, define their internal service delivery policies clearly and ensure their external service provider controls are well defined and operating effectively.
Should all partners become CCPA compliant?
Industry watchers predict other states will follow California and soon introduce similar data privacy laws. Monaghan, Walker and Weaver unequivocally agreed that regardless of the state they operate in, partners should strive to become CCPA compliant to ready themselves for new data privacy standards.
Monaghan believes CCPA-level standards will become the norm everywhere in the U.S.
"As California goes, so goes the nation," he said. "I believe this comprehensive approach to privacy will become the norm in states across the country. … So, it makes sense to move to highest levels of data privacy and security."
Weaver said, "MSPs all over the world should be aware of these various laws because they are eerily similar and we should expect more in the future. Data regulation is going to be common no matter where your MSP practice is or where your customers are."