Written by Charles Weaver, CEO of MSPAlliance

We have previously written and discussed CCPA for the last year, but 2020 will soon be here, and that means CCPA compliance will be the law. MSPs operating within the state of California are implicated in this data protection law. However, MSPs outside the state also need to pay attention to the law many are calling “GDPR for the United States”. 

Let’s examine how this law could impact MSPs and what you should be doing to prepare. 

What is CCPA?

California Consumer Privacy Act (CCPA) is a law intended to protect individuals against the misuse of their data by third parties. CCPA defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” If this sounds like a very expansive definition of personal data, you are right. In many ways, CCPA has a broader view of personal data than GDPR does. 

Does CCPA Apply to me? 

Here is a list of the companies having to comply with CCPA. 

• For-profit companies with greater than $25 million in revenues. 
• Companies who buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices, or,
• Companies that gain a majority of their annual revenue from the selling of personal data.

For those of you paying attention, there is no requirement that your company has a presence in California for CCPA to apply to you. CCPA was intended to have a wide reach, just like GDPR. 

Does CCPA Impact Me? 

In the broader context, the answer is yes, CCPA will be impacting you even if you do not notice it. Some companies are preparing for CCPA by eliminating any distinction between their California and non-California business customers. 

For example, Microsoft recently stated in a blog post that the company would be complying with CCPA everywhere in the United States. 

Heikki Nousiainen, CTO and Co-Founder at Aiven had this to say about Microsoft’s decision. “Microsoft’s move to honor CCPA across the United States is a signal to other companies to follow, considering other states will be creating their own versions of the law. Consumer demand for data transparency and protections has been rising for a while, which I think has created positive changes as more enterprises are now being held accountable. While enterprises have historically put consumer data privacy and security behind other priorities like scale and function, the backlash we’ve seen from consumers when private data is leaked has led to strict privacy laws such as GDPR and CCPA. Because of this, companies that have always put consumer protections first when collecting data will emerge as leaders in the next wave of technological advancement.”

So, Microsoft is taking the position that it will deal with the most stringent of state data privacy laws, which will be California as of January 1, 2020, and make California the default standard for all its dealings within the 50 United States. 

One of the enforcement mechanisms available under CCPA is the right of private action. What this means is that someone can sue under CCPA if they believe their data has been compromised. It should be noted that the right to bring suit under CCPA does not mean you had to have your data stolen, although that is an option. The private right of action applies to any violation of the law as it pertains to your data. Such a violation could come from a failure to delete personal data, for example. 

How Should MSPS Prepare for CCPA?

The simple answer, and arguably the very first step is to determine whether or not you need to be compliant. To accomplish this means knowing what type of data you are managing and whether there are any California citizens within that managed data set. 

Next, as with GDPR, getting a handle on your external service providers (i.e., vendors) is crucial. Since your legal liability could hinge on the third-party service providers you use to deliver your managed services, understanding whether these providers are vulnerable is a critical first step. 

Finally, understanding how you are managing your customer data is fundamental to mitigating your CCPA risk and exposure. Ask yourself the following questions: 

• Do you have appropriate service agreements with your customers? 
• Do you clearly define your internal service delivery policies and procedures?
• Have you limited your exposure to external service providers who could inadvertently put you at risk of CCPA violation?

These questions (and many more) are all essential aspects to consider as you approach CCPA compliance in 2020. 

If your MSP practice is interested in speaking with someone at MSPAlliance about your CCPA compliance roadmap, please contact us for a consultation.