California's Consumer Privacy Act and the Cloud
Enforcement begins July 1 — it's time to look to readiness.
March 17, 2020
By Victoria Geronimo
Victoria Geronimo
By Victoria Geronimo, Product Manager, Security & Compliance, 2nd Watch
Since the European Union introduced the General Data Protection Regulation (GDPR) in 2018, all eyes have been on the United States to see if it will follow suit. While a number of states have enacted data privacy statutes, California’s Consumer Privacy Act (CCPA) is the most comprehensive U.S. state law to date. Entities were expected to be in compliance with CCPA as of Jan. 1; enforcement begins July 1.
CCPA compliance requires entities to think about how the regulation will affect their cloud infrastructures and development of cloud-native applications. Specifically, companies must understand where personally identifiable information (PII) and other private data lives and how to process, validate, complete and communicate consumer information and consent requests.
How to Ensure CCPA Compliance
CCPA gives California residents greater privacy rights over their data that is collected by companies. It applies to any business that has customers in California and that either has gross revenue of more than $25 million or that acquires personal information from more than 50,000 consumers per year. It also applies to companies that earn more than half their annual revenue selling consumers’ personal information.
To ensure compliance, the first thing firms should look at is whether they’re collecting PII, and if they are, ensuring they know exactly where it’s going. CCPA not only mandates that California consumers have the right to know what PII is being collected, it also states that customers can dictate whether it’s sold or deleted. Further, if a company suffers a security breach, California consumers have the right to sue that company under the state’s data notification law. This increases the potential liability for companies whose security is breached, especially if their security practices don’t conform to industry standards.
Regulations regarding data privacy are proliferating and it’s imperative that companies set up an infrastructure foundation that helps them evolve fluidly with these changes to the legal landscape, as opposed to “frankensteining” their environments to play catch up.
The first is data mapping in order to know where all consumer PII lives and, importantly, where California consumer PII lives. This requires geographic segmentation of the data. There are multiple tools, including cloud-native ones, that empower companies with PII discovery and mapping.
Secondly, organizations will need to have a data deletion mechanism in place and an audit trail for data requests, so that they can prove they have investigated, validated and adequately responded to requests made under CCPA. The validation piece is also crucial – companies must make sure the individual requesting the data is who they say they are.
And thirdly, having an opt-in or out system in place that allows consumers to consent to their data being collected in the first place is essential for any company doing business in California. If the website is targeted at children, there must be a specific opt-in request for any collection of California consumer date. These three steps must be followed with an audit trail that can validate each of them.
The Cloud
It’s here that we start to consider the impact on cloud journeys and cloud-native apps, as this is where…
…firms can start to leverage tools that Amazon or Azure, for example, currently have, but that haven’t been integral for most businesses in a day-to-day context until now. This includes artificial intelligence (AI) learning tools for data discovery, which will help companies know exactly where PII lives, so that they may efficiently comply with data subject requests.
Likewise, cloud infrastructures should be set up so that firms aren’t playing catch up later on when data privacy and security legislation is enacted elsewhere. For example, encrypt everything, as well as making sure access control permissions are up to date. Organizations must also prevent configuration drift with tools that will automate closing a security gap or port if one gets opened during development.
For application development teams, it’s vital to follow security best practices, such as Center for Internet Security benchmarks, standards from the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP) Top Ten. These teams will be getting the brunt of the workload in terms of developing website opt-out mechanisms, for example, so they must follow best practices and be organized, prepared and efficient.
The Channel and the Cloud
For channel partners, there are a number of considerations when it comes to CCPA and the cloud. For one, partners who are in the business of infrastructure consulting should know how the legislation affects their infrastructure and what tools are available to set up a client with an infrastructure that can handle the requests CCPA mandates.
This means having data discovery tools in place, which can be accomplished with both cloud-native versions and third-party software. Also, making sure notification mechanisms are in place, such as email, or if you’re on Amazon, SNS (Simple Notification Service). Notification mechanisms will help automate responding to data subject requests. Additionally, logging must be enabled to establish an audit trail. Consistent resource tagging and establishing global tagging policies is integral to data mapping and quickly finding data. There’s a lot from an infrastructure perspective that can be done, so firms should familiarize themselves with tools that can facilitate CCPA compliance that may have never been used in this fashion, or indeed at all.
Ultimately, when it comes to CCPA, don’t sleep on it. GDPR went into effect less than two years ago, and already we have seen huge fines doled out to the likes of British Airways and Google for compliance failures. The EU has been aggressive about ensuring compliance, and California is likely to follow the same game. They know that to give CCPA any teeth, they have to make sure they prosecute it.
Victoria Geronimo is product manager for security and compliance at 2nd Watch. She has a bachelor’s degree from the University of Maryland and earned her J.D. law degree at Fordham University School of Law. Follow her on LinkedIn or @2ndwatch on Twitter.
Read more about:
MSPsYou May Also Like