IF YOU or your customers were not impacted by the EU’s General Data Protection Regulation, which gives European consumers more control over their personal information (PI), just wait. Here comes the California Consumer Privacy Act of 2018 (CCPA), which takes effect January 2020.
Under CCPA, any firm that does business with or employs the roughly 12 percent of Americans who live in California and stores, sells, collects, or purchases their PI, must:
- Tell those Californians what categories and specific pieces of PI are being collected about them, their devices, and their children, as well as the collection sources and purposes. Up to twice a year. For free. If that data is sold, firms must be prepared to tell them what categories of data and the recipients.
- Provide a portable copy of said info and/or delete it upon a customer’s request.
- Clearly display such privacy practices and opt-out options wherever PI is collected, in plain, accessible language.
- Exact no suspension or reduction in the service or products provided in response to a customer’s exercise of data rights.
Those rules apply to service providers too. Your MSP customers must limit your use of their consumers’ PI to business purposes only, and require you to provide or delete data necessary to comply with consumer requests. The consequences of breaching that requirement can be costly, says Alan Friel, partner in the privacy and data security department at law firm Baker & Hostetler, in Los Angeles. Consumers can bring civil action for certain security breaches. The California Attorney General’s office can sue as well if a violation is not “cured” within 30 days of notice and seek penalties for violations (up to $2,500 unintentional and $7,500 intentional).
Businesses with under $25 million in revenue, or those that collect or receive PI from fewer than 50,000 different consumers, devices, or households per year, slip under the law’s requirements. But that bar is lower than it sounds, because every website visit or credit card transaction leaves a PI bread crumb. Friel and Baker Hostetler associate Niloufar Massachi point out that a mere 138 consumers making credit card transactions per day, or an average of 138 daily unique website visitors, will meet that bar. So does any California-connected business that makes at least half its revenue by selling personal data.
Campbell Hutcheson, chief compliance officer at Datto Inc., suggests that MSPs prepare for CCPA by creating data maps of storage location and application flow for affected customers. “They should also be ready to assist customers with data information requests,” he says, adding that while the PI covered by the notice and information request obligations goes back to January 1, 2019, consumers may demand that all their records—with limited exceptions—be wiped and/or handed over.