California “GDPR” is Coming
It was only a matter of time before another legislative body took notice of the European Union’s GDPR law and created one of their own. It should not be any surprise that the state of California is arguably the first state in the United States to craft a “GDPR” style data privacy law which is both sweeping in scope and designed to push the limits of regulatory burden versus privacy protections.
The California Consumer Privacy Act of 2018 was signed into law last year, and while everyone has been focusing on GDPR, nobody seemed to notice what California was doing. However, this doesn’t mean that the CCPA won’t have the same level of impact as GDPR has had. I think it could be even more significant, especially for MSPs practicing in California, and the rest of the United States.
While the law does not formally go into effect until January 1, 2020, but there are quite a few things which will impact MSPs of all sizes. Here is what we know.
Who is Impacted?
Any entity holding data on more than 50,000 people will be covered. My guess is a lot of MSPs will be impacted by this law simply because customers will be seeking out advice on how to comply. MSPs such as data centers and cloud providers holding data on more than 50,000 users will naturally be directly impacted and need to demonstrate compliance. Each violation has a fine of $7,500.
Right to be Forgotten
Similar to GDPR, CCPA also has a right to be forgotten provision. This means covered entities will be required to delete specific data sets at the request of users.
Right Not to Have Your Data Sold
The law also goes further than GDPR in placing restrictions around the sale of data, requiring entities to put warnings on websites, including “Do Not Sell My Data.” The law does not restrict the sale of personal data, it just allows the data subject to a) know whether their data has been captured, and b) whether their data has been sold.
We have entered a new era of managed services: the age of data management. Devices are dead, in the sense that the management of devices is less important than the data on them.
MSPs need to get a handle on their internal data, and the data they manage on behalf of customers. This is our next big professional hurdle. If any of you have wondered why security is factoring so heavily in the managed services professional community, this is one of the reasons why.
It is relatively certain that this law will be challenged in the courts. Until that happens, MSPs located within or doing business in California had better become familiar with CCPA. Something tells me this is not going to go away soon.