New State Privacy Laws Raise Stakes for MSPs

2023 saw a surge in state-level consumer privacy legislation in the US and that landscape continues to evolve rapidly, with individual states taking the lead in the absence of a comprehensive federal law. As of today, 15 U.S. states have enacted comprehensive consumer data privacy laws, granting individuals greater control over their personal information. Three states – Delaware, Iowa, and Tennessee – will see their new data privacy laws go into effect in 2025. Indiana's law will follow suit in 2026.

What MSPs Need to Know

MSPs and their clients with residents in these states will likely need to revisit their data protection protocols to ensure compliance with new state laws. While not as extensive as California's CCPA/CPRA, these laws all mandate cybersecurity measures including:

Transparency in privacy practices

Many state privacy laws require a Data Protection Impact Assessment (DPIA) or a similar evaluation. MSP and their clients should initiate planning for these assessments promptly, as they are necessary for systems or applications processing of personal data.

Limited collection of personal data

The primary challenge for MSPs and their clients lies in identifying personal data, particularly sensitive information, as the definitions provided are broad and, in some instances, quite expansive.

Specific regulations for data processors

Another critical task for MSPs is reviewing agreements with partners and clients, as some new laws mandate agreements with detailed consumer privacy terms. It is essential for MSPs and their clients to address these agreements promptly to ensure compliance.

Want to learn all the details? We’ve got the links to help you dig in:

Contact Compliance Scorecard

Ask us how we can help you manage compliance by using our 4A govern practices capabilities (Alignment, Authorization, Adoption, Assessment). With our governance-as-a-service platform, you can become a compliance superstar.

"*" indicates required fields