California’s Consumer Privacy Act and the Cloud

Victoria Geronimo

By Victoria Geronimo, Product Manager, Security & Compliance, 2nd Watch

Since the European Union introduced the General Data Protection Regulation (GDPR) in 2018, all eyes have been on the United States to see if it will follow suit. While a number of states have enacted data privacy statutes, California’s Consumer Privacy Act (CCPA) is the most comprehensive U.S. state law to date. Entities were expected to be in compliance with CCPA as of Jan. 1; enforcement begins July 1.

CCPA compliance requires entities to think about how the regulation will affect their cloud infrastructures and development of cloud-native applications. Specifically, companies must understand where personally identifiable information (PII) and other private data lives and how to process, validate, complete and communicate consumer information and consent requests.

How to Ensure CCPA Compliance

CCPA gives California residents greater privacy rights over their data that is collected by companies. It applies to any business that has customers in California and that either has gross revenue of more than $25 million or that acquires personal information from more than 50,000 consumers per year. It also applies to companies that earn more than half their annual revenue selling consumers’ personal information.

To ensure compliance, the first thing firms should look at is whether they’re collecting PII, and if they are, ensuring they know exactly where it’s going. CCPA not only mandates that California consumers have the right to know what PII is being collected, it also states that customers can dictate whether it’s sold or deleted. Further, if a company suffers a security breach, California consumers have the right to sue that company under the state’s data notification law. This increases the potential liability for companies whose security is breached, especially if their security practices don’t conform to industry standards.

Regulations regarding data privacy are proliferating and it’s imperative that companies set up an infrastructure foundation that helps them evolve fluidly with these changes to the legal landscape, as opposed to “frankensteining” their environments to play catch up.

• The first is data mapping in order to know where all consumer PII lives and, importantly, where California consumer PII lives. This requires geographic segmentation of the data. There are multiple tools, including cloud-native ones, that empower companies with PII discovery and mapping.
• Secondly, organizations will need to have a data deletion mechanism in place and an audit trail for data requests, so that they can prove they have investigated, validated and adequately responded to requests made under CCPA. The validation piece is also crucial – companies must make sure the individual requesting the data is who they say they are.
• And thirdly, having an opt-in or out system in place that allows consumers to consent to their data being collected in the first place is essential for any company doing business in California. If the website is targeted at children, there must be a specific opt-in request for any collection of California consumer date. These three steps must be followed with an audit trail that can validate each of them.

The Cloud

It’s here that we start to consider the impact on cloud journeys and cloud-native apps, as this is where…