California Data Privacy Law Could Create Channel Opportunities

MSPs and others in the channel could find themselves in higher demand generated by a new California data privacy measure.

California voters this week passed Prop. 24, the Consumer Privacy Rights Act (CPRA). The ballot measure expands the state’s existing privacy laws. It includes provisions allowing consumers to direct businesses to not share their personal information.

Furthermore, it removes the time period in which businesses can fix violations before being penalized. And it creates the Privacy Protection Agency to enforce the state’s consumer data privacy laws.

It will take effect July 1, 2021.

The proposition updated the California Consumer Privacy Act (CCPA). It became law in June 2018.

Needing Outside Help

IntraEdge’s Dan Clarke

Dan Clarke is president of IntraEdge. He said more and more companies will be looking for outside help and technologies to comply with new data privacy laws.

“Companies won’t be building privacy solutions from the ground up,” he said. “Instead, they will want to partner with those with a deep understanding of the privacy space to ensure their processes are compliant and help businesses identify solutions that are built with the CPRA regulations in mind.”

Prop. 24 will significantly impact consumer privacy in the United States, Clarke said.

“Suppose the Attorney General sends out 40 privacy notices in a month,” he said. “In that case, a dedicated enforcement agency could efficiently review the same number of notices in a day, which means more companies need to ensure they are making an effort to comply under the CPRA.”

Companies are reluctant to be as visibly compliant as the law would like them, Clarke said.

“And we have seen them take a wait-and-see approach with numerous companies neglecting visible privacy notices,” he said. “But when the CPRA goes into effect, enforcement rates will be much higher compared to the CCPA. The additional privacy requirements could pose challenges for companies under the CPRA, especially with the new definition of sharing and addressing the sensitive information category.”

Automation Can Help

Automation can help speed up subject access requests, Clark said.

“A true end-to-end solution should automate the entire consumer privacy user experience by automating the intake request, search, extract and present the data to the consumer all in one seamless process,” he said.

The CPRA has been easier to read and transparent with the new updates under the regulation, Clarke said.

“While businesses that aren’t under the General Data Protection Regulation (GDPR) may find it challenging to address the new sensitive information category and understand how to deal with this type of information, they should seek legal guidance,” he said.

A privacy provider can help them scale their privacy program to adjust to new updates in the privacy landscape under the CPRA and beyond, Clarke said.

Kaseya’s Max Pruger

Max Pruger is general manager of compliance at Kaseya. He said Prop. 24 shows the need for compliance is not going away. And more rules are being passed and existing regulations continue to evolve.

“CCPA and Prop. 24 are just two examples of how states are addressing privacy rules,” he said. “And it’s only a matter of time before the federal government passes an equivalent to GDPR. Businesses have struggled to navigate this ever-changing world of increasingly complex rules, especially when it comes to data privacy and security. It has especially overwhelmed SMBs, who often do not have the resources to hire internal compliance professionals.”

Business Need to be Proactive

Though the rules continue to evolve, businesses need to be proactive and plan for a future with more compliance regulations built on existing laws, Pruger said.

“Organizations should create a forward-thinking compliance strategy and seek out integrated, automated solutions that allow them to easily document necessary information and due diligence on an ongoing basis,” he said. “And this is the area where MSPs can help SMBs. If businesses wait until it’s absolutely necessary to maintain compliance, they will be too far behind the curve.”

Because Prop. 24 is focused on data privacy, MSPs don’t have as much opportunity to help businesses comply with this new set of rules, Pruger said.

However, there are many opportunities for MSPs to help organizations meet ever-evolving data security compliance needs, he said. MSPs can provide services that help SMBs assess their IT environments, identify and remediate issues and document evidence of compliance.